Dos  and  Don’ts  of  Role  Management  Software 


Today’s  investigations 
require  skills  from  many 
disciplines.  Read  inside 
to  get  a  clue,  page  26 


PAGE  20 


ii 


Dan  Geer  on  life 
at  In-Q-Tel  PAGE  36 


September  2008  $9.00  www.csoonline.qH 


. 


Energy  consumption  in  datacenters  is  expected  to  double  in  the  next  five  years.  Yet  many 
businesses  still  don’t  know  how  much  energy  their  IT  is  using.  So  how  do  you  build  and 
manage  your  IT  to  reduce  energy  consumption?  With  greener  software  from  IBM:  a  complete 
range  of  energy-efficient  software  to  optimize  your  infrastructure,  boost  business  process 
efficiency  and  put  practices  in  place  for  truly  responsible  collaboration.  With  energy  at 
a  premium,  greener  software  can  help  shave  millions  off  your  IT  and  energy  budgets. 
A  greener  world  starts  with  greener  business.  Greener  business  starts  with  IBM. 

SYSTEMS.  SOFTWARE.  SERVICES.  FOR  A  GREENER  WORLD. 

Get  our  green  strategy  whitepaper  at  ibm.com/green/software 


IBM.  the  IBM  logo  and  ibm.com  are  trademarks  of  International  Business  Machines  Corporation,  registered  in  many  jurisdictions  worldwide.  A  current  list  of  IBM  trademarks  is  available  on  the 
Web  at  "Copyright  and  trademark  information”  at  www.ibm.com/legal/copytrade.shtml,  ©  2008  IBM  Corporation.  All  rights  reserved. 


September  2008  Vol.  7,  No.  7 


Features... 


26  Merge  Ahead 

Cover  Story  I  Investigations 

There's  no  such  thing  as  a  digital 
investigation.  Or  a  physical  one. 
Searching  for  clues  and  resolutions 
requires  a  blend  of  disciplines  gov¬ 
erned  by  a  flexible  forensic 
mind-set.  By  Malcolm  Wheatley 

30  Safety  Dance 

Safety  and  Security  Security 
and  safety  often  go  hand  in  hand,  but 
sometimes  they  conflict.  Here  are 
ways  to  cooperate  to  achieve  both 
departments’ goals.  ByFredHapgood 

36  intelligence 
Quotient 

Interview  Security  pioneer  Dan 
Geer  on  his  work  as  CISO  for  In-Q-Tel. 
By  Bill  Brenner 


38  Bridging  the 
Generation  Gap 

Management  Boomers,  Gen  X  and 
Gen  Y  present  unique  security 
challenges  on  the  job.  Do  your 
employees  know  what  types  of  risk 
they  create?  By  Joan  Goodchild 


Also  Inside... 


4  From  the  Editor 
6  From  the  Publisher 

8  Join  the  Discussion 

CSOonline  readers  discuss 
border  searches  of  laptops 
and  getting  staff  buy-in. 

11  Briefing 

■  SCADA  worries 

■  Iowa  floods 

■  DNS  crisis 

■  Spam  king  dies 

■  SAS  70  changes 

■  Laptop  bags 


20  Toolbox 
Role-Playing 

Role  management  can  help 
automate  permissions  and 
workflows.  Here’s  practical 
advice  on  doing  it  well. 
ByMaryBrandel 

44  industry  View 
Security  ROI:  Fact  or 
Fiction?  ROI  is  a  big  deal  in 
business,  but  it’s  a  misnomer 
in  security.  Make  sure  your 
financial  calculations  are 
based  on  good  data  and 
sound  methodologies. 

By  Bruce  Schneier 

48  Debriefing 

New  England  Crack 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path.  P.0.  Box  9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham.  MA01701,  andat  additional  mailingoffices.  Canadian  Publications  Mail  agreement  number  1902075.Canadian  Postmaster:  Please  return  undeliverablecopytoP.O.  Boxl632,Windsor,ONN9A7C9.Copyright2008by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  isforbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific  clients  is  granted 
by  CSOfor  users  through  the  Copyright  Clearance  Center,  provided  thatafeeof  $3.50  percopy  ofthe  article  is  paid  directly  to  Copyright  Clearance  Center,  222  Rosewood  Drive,  Danvers,  MA01970.www.copvright.com.  Please  specify: 
ISSN1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  artides-followed  by  this  symbol:  f:.  Address  inquiries  to  CSO,  P.O.Box3482,  Northbrook,  IL  60065;  866  354-1125.  CSO  is  free  to  qualified  security  executives. 
To  all  others  the  one-year  basic  rate  is  $70  for  the  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canadaand  $15  International.  Please  allow  four  tosix  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  September  2008 


Cover  Illustration  by  Steve  Traynor 


The  latest  and  greatest  in 

online  security. 

Also  the  greenest. 


Get  visible  site  security  from  the  company  your  customers  trust. 


.  -  . 


. 


O  https://www.overstock.com/checkout 


~z\  li 


Identified  by  VeriSign 


It’s  simple:  a  green  bar  means  your  site  is  secure.  For  your  customers,  this  means  they  can 
trust  their  Web  experience.  It’s  ail  done  through  VeriSign®  Extended  Validation  (EV)  SSL 
Certificates,  which  verify  and  visually  represent  the  authenticity  and  security  of  Web  sites. 
This  protects  you  and  online  customers.  Combine  visitor  confidence  with  the  strongest 
encryption  available  to  each  site  visitor  to  maximize  your  site's  overall  security  profile. 


Get  your  free  white  paper,  The  Latest  Advancements  in  SSL  Technology, 
at  www.verisign.com/cso  or  call  1-866-893-6565  or  1-650-426-5115. 


?  2008  VeriSign,  Inc.  Ail  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  Checkmark  Circle  logo,  VeriSign  Secured  logo,  and  other  trademarks,  service  marks,  and  designs  are 
registered  or  unregistered  trademarks  of  VeriSign,  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries.  All  other  trademarks  are  property  of  their  respective  owners. 


[  FROM  THE  EDITOR] 


Connections 

and 

Intersections 


Security  is  perhaps  the  most  difficult  intel¬ 
lectual  profession  on  the  planet.  The  core 
knowledge  base  has  reached  the  point  where 
new  recruits  can  no  longer  hope  to  be  compe¬ 
tent  generalists;  serial  specialization  is  the 
only  broad  option  available  to  them. 

-Dan  Geer  at  the  Source  Boston 
conference,  March  2008 

Specialists  are  in  many  respects  the  life¬ 
blood  of  a  security  organization.  It  takes 
years  to  learn  the  nuances  and  details  of 
financial  fraud.  There  is  no  shortcut  to 
this  knowledge.  Similarly,  you  don’t  become 
great  at  network  forensics  by  spending  a  few 
casual  hours  here  and  there  reading  docu¬ 
mentation.  Excellence  in  any  area  requires 
hands-on  experience,  trial  and  error,  care  and 
thought.  And  security’s  various  subdisciplines 
aren’t  static;  today  they  change  faster  than 
ever,  demanding  ongoing  study  and  training 
even  from  longtime  veterans. 

However,  for  better  or  for  worse,  business 
problems  often  resist  being  crammed  into  nar¬ 
row  shoeboxes.  As  Malcolm  Wheatley’s  cover 
story  (Page  26)  demonstrates,  internal  inves¬ 
tigations  are  a  case  in  point.  If  an  employee  is 
suspected  of  theft  or  fraud,  the  investigation 
may  entail  some  network  forensics.  And  some 
financial  audit  work.  And  a  look  at  building 
access  logs  or  surveillance  video.  The  right  mix 
of  specialists  involved  depends  on  the  particu¬ 
lars  of  the  case,  but  it’s  increasingly  unlikely 
that  a  single  specialist  is  going  to  resolve  a 
case  of  any  complexity. 


The  intersection  of  security  and  safety  is 
another  example,  explored  by  Fred  Hapgood, 
starting  on  Page  30.  Con-way  Freight  CSO 
Curtis  Shewchuk  spells  out  the  challenge: 
There  are  synergies  between  the  two  areas 
that  organizations  can  and  should  look  to 
exploit,  but  at  the  same  time  just  staying  on 
top  of  OSHA  or  C-TPAT  requirements  demands 
a  specialist’s  full  attention. 

So  add  it  to  the  pile  of  challenges  facing 
every  CSO  today:  You  have  to  figure  out  how 
to  address  the  demands  of  specialized  fields 
while  keeping  your  other  eye  on  the  intersec¬ 
tions  and  connections  among  them. 

Dan  Geer  himself-who  states  the  case  for 
specialization  in  the  opening  quote  above-is, 
ironically,  also  one  of  the  field’s  most  nimble 
minds,  and  one  who  continually  casts  light  on 
security  by  putting  it  in  the  context  of  other 
disciplines.  So  it’s  appropriate  that  you’ll  find 
more  of  Geer's  observations  in  this  issue  of 
CSO  as  well,  in  a  Q&A  with  Senior  Editor  Bill 
Brenner  on  Page  36. 


I  hope  you’ll  find  that  Geer’s  thoughts,  and 
indeed  this  entire  issue  of  CSO,  help  you  look 
at  security’s  connections  and  intersections  in 
productive  new  ways. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editor  Bill  Brenner 
Senior  Editor  Joan  Goodchild 
Copy  Editor  Susan  Bryant-Still 
Associate  Copy  Editor 
Kristin  Burnham 

Editorial  Assistant  Jarina  D’Auria 
Editorial  Administrator 
Simone  Levien 
Contributors 

Scott  Berinato,  Mary  Brandel, 

Rick  Cook,  Michael  Fitzgerald, 

Fred  Hapgood,  Chad  McDonald 
Robert  McMillan,  Michael  Overly, 
Bruce  Schneier,  Malcolm  Wheatley 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 
Senior  Research  Analyst 

Seanna  Maguire 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.0.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO 

Bob  Carrigan 


WORLDWIDE" 


4  www.csoonline.com 


September  2008 


Photo  by  Webb  Chappell 


kJe  on!/  tefane  aJisL  Mifk  fari/e,^ 

better  think  MfhM  itt  otty  wtt 
'Sectififyof Sftbhj  tof  tiefritfk  fattfaStbidere  ?  '' 


»  Want  it  all?  There  is  one  way  to  remain  profitable  and  competitive  while  growing  the 
network  to  meet  user  needs' —  and  still  restrict  non-job  related  access  to  keep  your 
enterprise  safe:  Call  Juniper. 

Juniper  Networks’  security  and  infrastructure  solutions  power  high-performance 
business,  securely  linking  employees,  vendors,  customers  —  everyone  —  with  the 
resources  they  need.  It’s  real-time  applications  and  services  any  time,  all  over  a 
single  network.  With  unprecedented  levels  of  performance,  availability  and  flexibility, 
plus  the  scalability  your  business  model  demands.  Leverage  your  network  —  more 
securely  and  cost-effectively  —  for  greater  productivity.  The  switch  is  on  to  compre¬ 
hensive  network  security:  www.juniper.net/access 


Juniper 

‘  ,Q\)f 


& 


Net 


1.888. JUNIPER 


[  FROM  THE  PUBLISHER  ] 


Opposing 
Forces  in  a 
Down  Market 


It  seems  that  every  day  there  is  more  bad 
news  about  the  economy.  For  months  now 
we  have  watched  as  the  markets  have  con¬ 
tracted,  driven  by  trade  deficits,  soaring  oil 
prices  and  ever-tightening  lending  markets.  As 
I  write  this,  oil  prices  have  been  falling  (which 
is  a  good  harbinger),  but  inflation  is  beginning 
to  climb  at  a  steeper  pace.  And  as  we  have 
watched  the  economic  climate  become  more 
challenging,  you  can  rest  assured  that  your 
CEOs  have  watched  as  well. 

I  imagine  that,  by  now,  you  too  are 
under  pressure  to  control  expenses  in  your 
enterprise  as  corporate  leadership  struggles 
to  maintain  earnings  in  an  increasingly  chal¬ 
lenging  market.  I  hear  from  many  CSOs  that, 
while  spending  isn’t  necessarily  being  rolled 
back  (and  there  is  significant  pressure  to  do 
just  that),  they  are  being  forced  to  focus  on 
their  top  four  or  five  initiatives  next  year,  as 
opposed  to  their  overall  list  of  20-plus.  This 
puts  CSOs  in  a  difficult  position. 

In  a  tightening  economy,  history  has 
proven  that  the  risks  faced  by  businesses 
increase  significantly.  When  times  begin  to  get 
tough  for  individuals,  many  will  turn  to  crime 
to  abate  their  diminishingfinancial  situations. 
Oddly  enough,  these  criminals  operate  in 
much  the  same  way  as  any  business  would.  To 
improve  performance,  they  begin  by  trying  to 
increase  their  revenue;  It’s  much  more  accept¬ 
able  than  cutting  their  expenses. 

Electronic  attacks  will  continue  and  may 
get  worse  as  criminals  seek  to  exploit  vulner¬ 
abilities  for  financial  gain.  Given  the  shift  over 
the  last  several  years  as  electronic  exploits 
have  focused  increasingly  on  financial  gain,  we 
are  at  a  point  where  the  “bad  guys”  are  well- 
versed  in  taking  advantage  of  our  dependence 


on  insecure  electronic  environments. 

In  the  physical  world,  particularly  in  retail 
environments,  shoplifting  ratchets  up  as  indi¬ 
viduals  and  organized  groups  try  that  much 
harder  to  generate  revenue  for  their  own 
personal  gain.  Fraud  also  increases. 

Unfortunately,  we  are  setting  ourselves  up 
for  a  classic  battle  in  our  corporate  cultures 
as  the  forces  that  are  trying  to  cut  expenses 
collide  with  those  who  see  the  need  for  con¬ 
tinued,  and  maybe  even  increased,  spending 
on  security  to  mitigate  the  growing  frequency 
and  intensity  of  potential  threats.  And  the  last 
thing  that  any  CEO  wants  to  hear  is,  “We  can’t 
cut.  We  need  to  spend  more.”  Unfortunately, 
that  is  the  reality.  The  challenge  for  you  is, 
as  is  often  the  case,  to  translate  the  value 
of  the  organization’s  investment  in  security 


into  the  business  value  that  it  delivers  to  the 
organization.  Whether  that  value  is  fewer  data 
breaches,  reduced  shrinkage  or  whatever  met¬ 
ric  you  happen  to  use  in  your  industry,  be  sure 
to  make  that  argument  now  before  any  cuts 
are  mandated  by  uninformed  leaders  whose 
actions  could  significantly  increase  the  risk  to 
your  business. 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 

AlliedBarton  Security  Services. .  7 


Avatier  Corp . 41 

CAInc .  C4 

CSC  .  33 

CXO  Media  Inc .  13,47 


Executive  Women’s  Forum  ...  12a 


HID  Corp .  43 

IBM  Corp . C2 

Intel  Corp . C3 

ISACA . 10 

Juniper  Networks  Inc . 5 

Lumension  Security . 19 

Oxford  Computer  Group . 17 


PricewaterhouseCoopers  LLP  . .  35 


Protegrity  Corp . 45 

Reconnex  Corp . 25 

RSA  Security  inc . 15 

SecureWorks . 21 

Sun  Microsystems  Inc . 33 

Verisign  Inc . 3 


President  and  CEO 
Michael  Friedenberg 
Publisher  Bob  Bragdon 
Senior  Ad  Sales  Associate 
Christine  McKay 
East  Coast  Regional  Manager 
Roz  Burke 

Regional  Sales  Manager  Matt  Knuth 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Online  Regional  Sales  Manager, 
Midwest  Sarah  Gaskin 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Tara  Shea 
Online  Advertising  Specialist 
Barbara  Sullivan 
Online  Sales  Associate 
Erin  Sullivan 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 

Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 
Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 
Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 
Deb  Begreen 

Editorial  Director  Maryfran  Johnson 
National  Sales  Manager 

Per  Meiker 

Eastern  Regional  Sales  Manager 
Sarah  Moon 
Sales  Associate 
Lauren  Costello 
Event  Planner  Sarah  Reagan 
Event  Planner/Client  Relations 
Laura  Biringer 

Registration  Specialist  Cress  O'Brien 
Marketing  Specialist  Kristin  Gallo 
Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcaponetSidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  150, 
cso@theygsgroup.com 


6  www.csoonline.com  September  2008 


Photo  by  Christopher  Navin 


HI  Id 


TOP 


1.866.825.5433  AlliedBarton.com 


SECURITY  SERVICES 


Local  Response  National  Support 


For  more  than  fifty  years,  AlliedBarton  has  been  providing  security  officer 
solutions  where  our  customers  live  and  work.  It’s  this  local  response  that 
allows  us  to  meet  their  specific  needs.  It’s  our  national  support  that  enables 
us  to  create  and  consistently  deliver  these  programs  with  expertise. 


AlliedBarton  is  changing  the  face  of  security  across  the  nation.  In  Philadelphia’s 
Center  City,  an  innovative  security  program  focuses  on  recruiting  individuals 
with  security,  customer  service  and  concierge  experience.  Through  award¬ 
winning  AlliedBarton  training,  these  individuals  become  security  ambassadors 
who  welcome  and  protect. 


We  Do  Our  Job  So  You  Can  Do  Yours . 


See  how  AlliedBarton  provides  innovative  security  solutions  for  clients 
at  AlliedBarton.com/Solutions. 


'  •  ' 

$ 

■V  &P  .. 


Meet  Jackie. 

She  provides  protection...and  advice  on 
where  to  find  the  best  cheese  steak  in  Philly. 


Me 


a// 


1|; 


Jackie  Goins 

AlliedBarton  Security  Officer  I  Philadelphia,  PA 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.CSOonlme.com 


BLOG  POST 

More 

Rumblings  at 
the  Border 

Michael  Overly  on  new  laptop 
seize-and-search  rules 

I  have  written  before  about  the 
recent  concerns  regarding  border 
searches  of  laptops  and  other  elec¬ 
tronic  devices.  More  recently,  you 
have  probably  read  about  the  memo 
issued  by  U.S.  Customs  and  Border  Pro¬ 
tection,  entitled  “Policy  Regarding  Border 
Search  of  Information.”  The  memo  more 
clearly  defines  the  broad  rights  granted 
agents  to  search  “documents,  books,  pam¬ 
phlets  and  other  printed  material,  as  well 
as  computers,  disks,  hard  disks  and  other 
electronic  or  digital  storage  devices.”  Trans¬ 
lation:  Border  agents  can  search  essentially 
everything  even  “absent  individualized 
suspicion.” 

These  are,  to  say  the  least,  very  expan¬ 
sive  rights  that  raise  serious  questions. 
While  privacy  has  been  the  foremost 
issue  discussed  in  connection  with  these 
searches,  consider  some  other,  less  obvi¬ 
ous  problems.  What  does  the  search  right 
mean  for  information  that  is  subject  to  a 
legal  privilege  (e.g.,  attorney- client,  doctor- 
patient,  clergy-congregation  member,  etc.)? 
What  about  information  that  constitutes 
trade  secrets,  which  only  has  value  if  it  is 
kept  confidential?  What  about  information 
provided  to  you  by  a  business  partner  that 
is  subject  to  a  strict  nondisclosure  agree¬ 
ment?  What  about  commercial  software 


that  is  licensed  for  use  by  the  owner  of  the 
laptop,  but  then  is  copied  and  used  by  bor¬ 
der  agents  and  their  experts?  What  about 
the  fact  that  all  of  the  foregoing  information 
is  being  shared  with  a  government  entity 
and  potentially  others,  without  the  ben¬ 
efit  of  a  confidentiality  agreement  or  court 
order  that  would  otherwise  limit  disclo¬ 
sure?  How  long  will  copies— whether  elec¬ 
tronic  or  hard  copy— of  the  information  be 
retained  by  the  government?  What,  if  any, 
measures  will  be  used  to  securely  delete  or 
destroy  the  information  after  the  govern¬ 
ment  completes  its  review? 

These  are  significant  questions  for 
which  there  are  no  clear  answers.  If  confi¬ 
dential,  trade  secret,  privileged  information 
is  shared  with  an  unrelated  third  party  (i.e., 
border  agents  and  their  designates)  without 
the  benefit  of  a  nondisclosure  agreement  or 
court  issued  protective  order,  the  informa¬ 
tion  may  lose  its  value  and  the  ability  to  be 


protected. 

Because  of  the  forego¬ 
ing,  there  have  been  calls 
for  legislation  to  address 
this  threat.  Unfortunately, 
as  with  any  legislation,  the 
time  until  any  new  law  takes 
effect  is  far  in  the  future. 
In  the  meantime,  I  sug¬ 
gest  businesses  are  likely 
under  a  duty  to  take  steps 
to  reduce  exposure  of  their 
corporate  information  in 
these  types  of  warrantless 
searches.  This  means  con¬ 
sidering  removing  sensitive 
data  from  laptops  and  other 
media  being  taken  abroad 
and  only  using  “data-free” 
laptops  while  traveling. 
That  is,  laptops  would  only  access  data 
through  VPNs  to  corporate  servers  or  other 
cloud- computing  environments.  While  not 
a  perfect  or  convenient  solution,  the  loss  of 
control  over  corporate  data  posed  by  these 
new  boarder  searches  justifies  appropriate 
efforts  to  mitigate  the  risk. 

-Michael  Overly 

RESPONSE 

I  HAVE  BEEN  following  this  issue  closely 
as  a  regular  international  traveler  often 
working  in  sensitive  areas  of  Rule  of  Law. 
A  significant  problem  not  discussed  is  the 
international  principle  of  “reciprocity.” 
What  one  country  does  in  international 
practices  is  permitted  by  another  country 
equally.  The  simple  example  is  visa  fees  are 
often  based  on  reciprocity. 

This  practice  by  the  U.S.  now  permits 
the  reciprocal  practice  on  entry  to  another 
country.  If  the  U.S.  starts  seizing  data  as 


8  www.csoonline.com  September  2008 


Photo  by  AP  Images/Worldwide 


described  from  visitor  laptops,  a  U.S.  citi¬ 
zen’s  laptop  is  also  now  fair  game  on  entry 
in  any  other  country.  Each  of  us  could  cre¬ 
ate  our  own  list  of  countries  where  that 
would  be  a  very  bad  occurrence.  Likewise, 
whatever  assurance  the  U.S.  government 
gives,  you  can  bet  that  this  assurance  will 
not  be  legitimate  if  given  by  any  number  of 
foreign  governments.  Trade  secret  issues 
are  magnified  once  one  starts  to  think  of 
other  governments  stealing  business  and 
personal  data  with  full  impunity. 

This  is  an  incredibly  overbroad  and 
unnecessary  policy  that  will  harm  all  of  us 
with  little  to  no  gain  in  security. 

-Anonymous 

RESPONSE 

I  HAVE  FOLLOWED  this  story  only 
recently  here  and  in  the  Federal  Times.  Just 
because  an  agency  issues  a  memo  or  guide¬ 
line  does  not  make  it  a  law.  This  policy 
would  seem  to  lack  both  legislative  and/or 
judicial  process. 

It  should  simply  be  challenged  in  a  fed¬ 
eral  court  and  a  restraining  order  sought 

MORE  ON  THE  WEB 

Listen  Up 

Hear  Dan  Geer 
on  life  at  In-Q- 
Tel,  Providence 
Health  CSO  Eric 
Cowperthwaite  on 
cleaning  up  from 
HIPAA  violations, 
and  more. 

Senior  Editor  Bill 
Brenner’s  Security 
Perspectives 
audio. 

See  www 

.csoonline.com/ 

podcasts 


until  the  issue  is  settled.  Who  pays  for  it? 
Those  hurt  by  it.  Go  for  a  class  action.  Sim¬ 
ply  accepting  agency  rulings  as  a  given  is 
the  least  wise  choice  available. 

-Anonymous 

BLOG  POST 

Can  You  Trust 
Your  Plans? 

Chad  McDonald’s  unique 
suggestion  for  getting  staff  buy-in 

Incident  response  plans,  disaster 
recovery  plans  and  business  continu¬ 
ity  plans  are  essential  components  in 
a  well -developed  information  secu¬ 
rity  program.  If  you  aren’t  regularly 
testing  your  plans,  then  you  are  gambling 
with  the  future  of  your  business. 

Nothing  within  the  realm  of  informa¬ 
tion  technology  is  or  should  be  a  gamble. 
The  very  concept  of  a  “gray  area”  violates 
the  binary  nature  of  modern  technology. 
Despite  this,  many  organizations  don’t  test 
their  recovery  and  continuity  plans.  To 
these  organizations  I  say,  wake  up!  When 
(not  if,  but  WHEN)  the  time  comes  that  you 
have  to  activate  your  plan,  rest  assured  that 
you’ll  be  running  around  with  your  pants 
around  your  ankles  while  Rome  bums. 

I  know  what  you’re  thinking:  Testing  is 
expensive,  time  consuming  and  boring.  It’s 
best  to  think  of  it  as  insurance  against  the 
inevitable.  I  know  that  when  it  comes  time 
to  approve  your  budget  that  the  CEO  wants 
to  forget  you  much  like  he  tries  to  forget  the 
rash  that  he  brought  back  from  the  rodeo 
clown  in  Vegas.  Nonetheless,  testing  is 
imperative.  A  plan  that  hasn’t  been  tested 
is  really  just  a  guess.  You’re  guessing  that 
the  actions  you  define  in  your  plan  will 
work.  You’re  guessing  that  you’ll  be  able  to 
continue  operations.  You’re  guessing  that 
you’ll  be  able  to  recover  your  customer  data¬ 
base.  Most  importantly,  you’re  guessing  that 
you’ll  have  a  job  when  this  is  all  over. 

As  for  boring,  just  sell  the  testing  exer¬ 
cise  as  a  role-playing  game.  System  admin¬ 
istrators  love  role-playing  games.  Tell 
them  it’s  a  live  action  version  of  Dungeons 
and  Dragons!  Heck,  buy  them  some  plastic 
swords  and  helmets....  On  second  thought, 
save  that  money.  They’ll  probably  already 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 

dslater@cxo.com 

508  935-4213 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 

Joan  Goodchild,  Senior  Editor 

jgoodchild@cxo.com 

508  988-7994 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  150, 
cso@theygsgroup.com 


have  costumes... I  mean  battle  gear.  Gather 
Sir  Linux-alot  and  his  minions  together 
and  test  your  plan  from  start  to  finish.  I 
can  pretty  much  guarantee  that  you  will 
find  things  that  don’t  work,  and  that’s  actu¬ 
ally  good.  The  goal  of  this  exercise... I  mean 
mission. ..is  to  look  for  those  things  and  fix 
them.  It’s  a  heck  of  a  lot  easier  to  fix  them  in 
a  normal  environment  than  it  is  to  fix  them 
when  you’re  in  the  dungeon... I  mean  recov¬ 
ery  mode.  When  it’s  all  over,  you’ll  have  a 
plan  that  you  can  feel  confident  in  and  your 
staff  will  know  what  they  are  supposed  to 
do  when  the  grog  hits  the  fan,  er  dragon. 

On  a  side  note,  be  prepared  for  mas¬ 
sive  requests  for  changes  to  the  dress  code. 
Once  you  open  the  door  to  your  staff  wear¬ 
ing  animal  pelts  and  wizard  robes  into  the 
office,  there’s  no  closing  it. 

-  Chad  McDonald 


September  2008  www.csoonline.com  9 


u0q 


CERTIFIED  INFORMATION 
SECURITY  MANAGER* 


Exam  Registration:  24  September  2008 
Exam  Date:  13  December  2008 


www.  isaca.  org/csomag 


Certified  Information  Systems  Auditor" 


"What  a  nightmare,  and  such  a  coward” 


Edited  by  Bill  Brenner 


Why  SCADA 
Security  Must 
Be  Addressed 

The  threat  to  SCADA  systems 
is  largely  hypothetical 
today,  but  experts  see  real 
incidents  around  the  corner 

Industrial  control  systems,  including  SCADA 
(supervisory  control  and  data  acquisition) 
have  come  under  the  security  spotlight 
in  recent  years  following  a  sprinkling  of 
incidents-most  notably  the  Slammer  worm 
infestation  at  Ohio’s  Davis-Besse  nuclear 
power  plant  in  2003,  and  post-9/11  attention  to 
terrorist  threats. 

But  SCADA  security  (See  also  www 
.csoonline.com/article/219486)  is  a  tough 
nut  to  crack,  buried  beneath  a  complex  mix 
of  technology,  attitude  and  a  particularly 
intractable  set  of  network  characteristics.  Still, 
industry  experts  see  the  risk  to  SCADA  systems 
growing  in  the  not-too-distant  future.  Not 
only  are  there  very  real  dangers,  but 
regulatory  agencies  are  begin¬ 
ning  to  take  notice  and  impose 
requirements. 

Matthew  Luallen,  owner  of 
Encari,  a  Chicago-based  informa¬ 
tion  security  consultancy,  points 
out  that  the  electric  utility  industry 
is  already  under  a  three-year  program  to 
improve  security.  The  sanctions  for  noncompli¬ 
ance,  he  says,  can  run  up  to  $1  million  a  day. 

Fundamentally,  the  control  world  has 
changed,  particularly  at  the  high  end  with 
methods  like  SCADA.  There  are  more  open 
systems,  wireless  technologies  are  becoming 
popular  and  there’s  increased  connectivity, 


both  internally  and  externally.  There  are  more 
outsourced  services  and  strategic  alliances 
among  vendors,  which  encourages  openness 
and  interoperability.  Plant  environments  have 
become  complex  with  multiple  vendors’ 
equipment,  proprietary  systems  and  mission- 
critical  applications  all  tied  together  in 
complex  networks;  all  must  function  in  a  time- 
constrained  fashion. 

“Supervisory  and  information  control  sys¬ 
tems  in  manufacturing  facilities  are  evolving 
rapidly,  and  with  the  technological  advances 
come  security  risks,”  Wonderware  VP  of  global 
product  management  Rashesh  Mody  said  in  a 
recent  white  paper. 

Lack  of  understanding  between  indus¬ 
trial  automation  and  corporate  IT  is  also  a 
problem.  Automation  has  evolved  along  very 
different  pathways  than  corporate  IT,  and 
relations  between  the  two  groups  all  too 
often  run  from  mutual  incomprehension  to 
outright  hostility. 

There  is  not  even  a  lot  of  agreement  about 
the  level  of  the  threat.  The  people  in  the 
controls  business  see  problems  as  unlikely 
because  of  the  separation  between  factory 
and  office  networks.  Computer  security 
experts  like  Alan  Paller  of  the  SANS  Insti¬ 
tute  see  the  danger  as  very  real. 

Paller  points  out  that  most 
of  the  incidents  that  have 
attracted  attention  involved 
highly  regulated  industries  such 
as  nuclear  power  plants,  which 
are  required  to  report  out-of-the- 
ordinary  activity. 

“The  fundamental  problem  is  that  although 
senior  executives  were  told  SCADA  systems 
are  not  connected  to  the  Internet,  in  fact 
they’re  connected  to  routers,  and  those  rout¬ 
ers  are  connected,”  Paller  says. 

The  availability  of  security  features  in 
control  system  software  also  varies  widely.  As 


CERN,  the  international  physics  laboratory 
in  Geneva,  noted  in  a  November  2007  report, 
“vulnerability  scans  at  CERN  using  standard  IT 
tools  have  shown  that  commercial  automation 
systems  often  lack  even  fundamental  security 
precautions:  Some  systems  crashed  during  the 
scan,  while  others  could  easily  be  stopped  or 
have  their  process  data  altered.” 

However,  some  of  the  control  system 
vendors  are  taking  security  seriously.  After  the 
well-publicized  discovery  of  a  security  flaw  in 
its  SuiteLink  product,  Wonderware  began  an 
extensive  campaign  to  upgrade  the  security  of 
its  products. 

Further,  a  lot  of  the  doomsday  scenarios 
are  overblown.  Andrew  Ongun,  general  man¬ 
ager  of  Evolutionary  Commercial  Systems,  a 
Huntington  Beach,  Calif.,  consultancy  special¬ 
izing  in  control  systems,  points  out  that,  for 
example,  a  lot  of  the  equipment  has  built-in 
sanity  checks  that  won’t  allow  parameters  to 
reach  dangerous  levels,  no  matter  how  badly 
the  system  is  hacked.  -Rick  Cook 


Photo  by  istockphoto 


September  2008  www.csoonline.com  li 


mi 


>>  BRIEFING 


Q&A 


A  Tragic  Lesson  in 
Business  Continuity 


For  security  administrator  Deb  Hale,  the  recent  tornadoes  and 
floods  in  Iowa  hit  close  to  home  and  provided  a  sobering  lesson 


www.csoonlme.com 


u 


September  2008 


CSO:  Your  company  is  located  on  the  other 
side  of  the  state  from  where  the  flooding 
happened,  but  was  there  any  collateral 
damage  in  the  form  of  service  disruptions 
and  the  like? 

Deb  Hale:  We  have  been  pretty  fortunate.  We 
had  two  vendors  located  in  the  Cedar  Rapids 
area  that  we  receive  a  lot  of  support  from.  One 
of  the  vendors  had  multiple  locations  within 
the  state  so  they  were  able  to  transfer  phones, 
services  and  so  on  over  to  the  other  loca¬ 
tions  in  the  state  that  were  not  impacted.  The 
other  vendor  provides  a  service  to  us  via  the 
Internet.  This  company  had  the  good  fortune 
to  have  a  president  and  company  founder  who 
understood  disaster  planning  and  so  they  had 
redundant  systems.  With  one  gone,  the  other 
jumped  in  and  took  the  load. 


As  Midwesterners  recently  discovered, 
natural  disasters  strike  without  warn¬ 
ing,  snuffing  out  lives,  homes  and 
businesses. 

Deadly  storms-including  tornadoes  and 
flooding-that  ravaged  the  area  earlier  this 
summer  hit  too  close  to  home  for  Deb  Hale, 
security  administrator  at  Iowa-based  telecom¬ 
munications  provider  Long  Lines. 

But  from  the  tragedy  came  valuable  insight 
into  the  art  of  business  continuity. 

Given  the  critical  infrastructure  the 
company  relies  on,  many  organizations  would 
suffer  dearly  if  a  disaster  forced  Long  Lines  to 
cease  operations. 

Hale  recently  shared  her  experiences  and 
outlined  the  most  important  things  a  company 
can  do  to  survive  what  Mother  Nature  decides 
to  unleash. 


A  tornado  touches  down  in  Orchard,  Iowa,  June 
10, 2008,  at  9:04  p.m.  Lori  Mehmen  of  Orchard 
took  the  photo  from  outside  her  front  door. 

I'm  sure  communication  has  been  a  prob¬ 
lem,  though. 

The  biggest  issue  we  had  is  that  it  took  a  little 
longer  to  get  a  hold  of  them.  This  was  due  to 
the  fact  that  many  of  the  employees  for  these 
two  vendors  had  personal  losses  of  home  and 
property  and  were  attempting  to  deal  with 
these  losses  and  the  cleanup  involved. 

You  mentioned  that  the  tornado  that  hit 
the  Boy  Scout  camp  was  closer  to  where 
you  are.  Does  your  company  have  any  kind 
of  preparedness  plan  for  how  to  protect 
employees  and  infrastructure  in  the  event 
of  a  tornado  or  other  event? 

The  location  of  our  company  has  many  poten¬ 
tial  hazards,  being  close  to  a  highway,  major 
interstate  system,  airport,  military  facility, 
railroad  tracks,  rivers  and  so  on.  We  are  very 
fortunate  to  have  leadership  that  understands 
what  disasters  are  all  about.  Many  of  our 
employees  are  volunteer  EMTs,  firefighters, 
response  personnel,  and  one  of  the  owners 
is  a  member  of  our  US&R  (Urban  Search  and 
Rescue)  Team. 

We  attempt  to  be  on  top  of  things  and  have 
much  of  our  equipment  spread  out  in  different 
locations  throughout  our  service  area.  We  are 
currently  working  on  a  comprehensive  plan 
which  will  include  a  bunker  facility. 

The  bunker  facility  will  house  redundant 
equipment  and  resources.  With  that  we  will  be 
providing  offsite  backup  service  to  businesses 
within  our  customer  base. 

That  said,  are  there  any  fresh  lessons 
you  took  from  the  disaster  in  terms  of 
your  own  business  continuity  plan  and 
any  weaknesses  recent  events  may  have 
revealed? 

I  am  a  member  of  the  Safeguard  Iowa  Partner¬ 
ship.  We  had  a  review  meeting  recently  to 
discuss  some  of  the  things  that  went  on  during 
the  response  phase.  Some  partners,  even 
though  they  were  on  high  ground  and  had  no 
flooding  at  their  facility,  were  unable  to  get  to 
the  facility  due  to  the  flood  water  over  all  of 
the  access  roads. 

We  will  be  meeting  in  the  near  future  to 
discuss  the  lessons  learned  in  depth.  I  am  sure 
that  there  are  going  to  be  many. 

-Bill  Brenner 


Photo  AP  Images/Worldwide 


SEPTEMBER  CSO  •  VOLUME  4,  NUMBER  1 


T  I 


Building  a 
Holistic  Risk 


6th  Annual 

EXECUTIVE  WOMEN’S 

riAni  I  HU  Information  Security,  Risk 
rUKUIVI  Management  &  Privacy 


September  16-18, 2008  |  Sheraton  Wild  Horse  Pass  |  Chandler,  AZ 


Building  a  Holistic 
Risk  Approach: 

The  Power  of  Leveraging 


Hosted  by  Alta  Associates,  Inc.  the  6th  Annual  Executive 
Womens  Forum  (EWF)  brings  together  more  than  200 
women  of  influence,  power  and  intelligence  to  explore 
the  challenges  of  building  a  holistic  risk  approach. 

Learn  how  industry  experts  are  leveraging  their  technol¬ 
ogy,  networks,  and  organizations  to  achieve  success. 

The  EWF  provides  a  unique  atmosphere  that  fosters  the 
development  of  creative  ideas,  innovative  solutions  and 
deep  relationships.  Join  your  peers  in  gaining  practical 
knowledge  of  best  practices. 


WOMEN  OF  INFLUENCE 
AWARDS 

Nominate  your  peers,  clients  and 
customers  for  the  Women  of  Influence 
Awards.  Co-presented  by  CSO 
magazine  and  Alta  Associates,  the 
awards  honor  four  women  for  their 
accomplishments  and  leadership 
roles  in  the  fields  of  security,  risk 
management  and  privacy.  Winners 
will  be  announced  at  an  awards 
ceremony  during  the  Executive 
Women’s  Forum. 

Additional  Information  Available  at: 
www.infosecuritywomen.com 


For  more  information  on  the  EWF  or  to  register, 
please  visit: 


www.infosecuritywomen.com 


Attendees  from  the  2007  Executive  Women's  Forum. 


Media  sponsor  &  awards  co-presenter: 

CSO 

BUSINESS  RISK  LEADERSHIP 


Forum  host  &  awards  co-presenter: 


ADVERTISING  SUPPLEMENT 


Executive  Women's  Forum 

EXECUTIVE  WOMEN'S  FORUM 

SEPTEMBER  2008  CSO 
VOLUME  4,  NUMBER  1 


The  Face  of 
Leadership 

EWF  provides  critical  network  for 
women  in  IT  security 
By  Bob  Bragdon, 
publisher,  CSO  magazine 


Several  years  ago,  I  was  at  the  RSA  Conference  in  San 
Francisco  and  was  invited  by  Joyce  Brocaglia,  president  and 
CEO  of  New  Jersey-based  information  security  recruitment 
firm,  Alta  Associates,  to  meet  with  her  at  the  W  Hotel.  She 
was  having  what  she  described  as  a  “get-together”  with  some 
people  from  the  Executive  Women’s  Forum  (EWF).  (EWF  is 
an  annual  event  for  female  information  security  practitioners 
and  thought  leaders,  and  was  founded  by  Brocaglia.)  I  had 
no  idea  what  I  was  walking  into.  Entering  the  lobby  I  was 
struck  by  the  fact  that  this  gathering  of  senior  security  lead¬ 
ers — all  women — seemed  like  they  were  at  a  college  reunion, 
reunited  with  their  best  friends.  It  was  quite  an  eye-opener. 

Why  the  Executive  Women's  Forum? 

While  there  have  been  many  changes  in  the  information  technology 
and  security  fields  over  the  past  several  years,  the  industry  continues  to 
evolve.  At  the  same  time,  the  face  of  its  leadership  has  changed.  More  and 
more  women  have  significant  roles  in  IT  and  security — in  government,  the 
private  sector  and  the  corporate  world.  And  evidence  of  this  can  be  seen 
in  the  membership  of  the  EWF. 

The  forum  was  founded  in  2002  to  address  the  needs  of  women  in  the 
information  security,  risk  management  and  privacy  arenas  to  network  with 


Leadership 
Insights  by: 

Alta  Associates 

PAGE  3 

CA,  Inc. 

PAGE  8 

Microsoft 

PAGE  10 


The  EWF  is  a 
way  to  provide 
a  secure  venue 
for  women  in 
IT  to  share 
ideas  and  build 
relationships 
with  like-minded 
women 


— Joyce  Brocaglia 

CEO,  Alta  Associates 


CS0F0CUS  3 


ADVERTISING  SUPPLEMENT 

The  Face  of  Leadership 


each  other,  share  information,  and 
exchange  advice  and  hard-earned 
wisdom.  From  its  first  conference  in 
2003  with  less  than  200  participants, 
the  EWF  has  grown  into  an  organiza¬ 
tion  of  over  400  influential  and  pow¬ 
erful  women  from  companies  rang¬ 
ing  from  small  start-ups  to  Fortune 
500  corporations. 

“IT  has  traditionally  been  a  male- 
dominated  industry  and  we  wanted 
to  provide  a  trusted  community  for 
executive  women  in  the  field,”  says 
Brocaglia.  “The  EWF  is  a  way  to  pro¬ 


vide  a  secure  venue  for  women  in  IT 
to  share  ideas  and  build  relationships 
with  like-minded  women.  It’s  a  venue 
for  them  to  become  better,  more  suc¬ 
cessful  executives  in  a  field  that  has 
long  been  dominated  by  men.” 

As  corporate  cultures  shift  from  a 
purely  technical  focus  on  information 
and  security  to  a  better  understanding 
of  and  alignment  with  it,  companies 
are  placing  more  value  on  business 
leadership  skills:  communication,  col¬ 
laboration,  and  leading  through  influ¬ 
ence — skills  many  women  naturally 
possess.  “A  lot  of  technology  today 
focuses  on  interrelating  with  other 
human  beings,  on  having  smooth 
social  relationships  online,”  says  Mi¬ 
chelle  Dennedy,  chief  privacy  officer 
at  Sun  Microsystems.  “Women  do 
this  instinctively,  so  it’s  critical  to  be 
inclusive  and  to  encourage  women  to 
become  leaders  in  the  field.” 


The  Importance  of  the 
Network 

The  value  of  peer  interaction  can¬ 
not  be  overstated.  Year  after  year  in 
study  after  study,  CSO  magazine  has 
found  it  is  the  most  important  and 
reliable  source  of  information  for 
security  executives.  And  the  EWF 
provides  a  great  platform.  “The  EWF 
allows  women  to  forge  professional 
relationships  with  industry  leaders 
they  might  not  otherwise  get  access 
to,”  says  Tara  Darbyshire,  executive 
vice  president  of  business  develop¬ 


ment  and  sales  at  Archer  Technolo¬ 
gies,  an  enterprise  risk  and  compli¬ 
ance  solutions  provider  based  in 
Overland  Park,  Kan.  “I  can  walk  up  to 
the  global  CISO  of  an  international 
bank  or  the  chief  privacy  officer  of  an 
international  conglomerate  and  get 
relevant,  useful  information.  These 
are  highly  credible  sources  and  that 
carries  over  to  what  I  can  do  for  my 
company  and  my  clients.” 

The  EWF  provides  a  trusted  com¬ 
munity  for  executive  women  in  infor¬ 
mation  security  and  related  fields.  At 
its  annual  conference,  women  build 
relationships,  share  their  experiences 
and  challenges,  and  mentor  the  next 
generation  of  leaders. 

“A  key  value  of  the  EWF  confer¬ 
ence  is  that  the  event  is  kept  exclusive 
and  small,”  says  Dennedy.  “And  some 
of  it  is  because  it’s  a  women-only 
event.  Women  approach  the  world  of 


IT  differently  than  men.  And  the  fo¬ 
rum  fosters  innovation  among  these 
leaders — innovation  that  we  can  then 
bring  back  and  integrate  into  our  cor¬ 
porations.”  The  conference  is  also  a 
place  where  women  build  personal  re¬ 
lationships.  Dennedy  and  Darbyshire 
agree  this  is  one  of  the  most  impor¬ 
tant  values  the  forum  delivers. 

“Our  members  tell  me  that  the 
conference  offered  them  a  unique 
and  unparalleled  experience,”  says 
Brocaglia.  “That  this  isn’t  just  a  con¬ 
ference,  but  a  life  experience.  And  one 
of  the  best  events  they’ve  attended  all 
year.”  Brocaglia  believes  that  the  fo¬ 
rum  is  just  a  beginning — it’s  also  im¬ 
portant  to  recognize  those  who  excel 
in  their  field  and  create  opportunities 
for  others.  Each  year  the  Women  of 
Influence  awards,  presented  in  part¬ 
nership  with  CSO  magazine,  recog¬ 
nize  the  best  and  brightest  among  the 
leading  women  in  the  information 
security  industry  today. 

Expanding  Opportunities 

With  the  success  of  its  first  few 
conferences,  the  EWF  has  begun 
looking  for  ways  to  expand  what  its 
offerings.  In  2005,  Carnegie  Mellon 
University  faculty  member  Dena 
Haritos  Tsamitis  attended  the  EWF 
conference  and  met  with  Brocaglia. 
This  initial  meeting  led  eventually  to 
the  creation  of  the  EWF  Fellowship, 
which  offers  a  full  scholarship  to  one 
incoming  female  student  each  year  in 
Carnegie  Mellon’s  Master  of  Science 
in  Information  Security  Technol¬ 
ogy  and  Management  program.  “We 
believe  in  the  mission  of  the  EWF,” 
says  Tsamitis.  “It’s  a  unique  group 
of  highly  regarded  professionals  in 


“I  go  back  every  year.  It’s  so  good  to 
surround  myself  with  women 
who  have  ‘been  there,  done  that.’  ” 

— Michelle  Dennedy,  chief  privacy  officer,  Sun  Microsystems 


CS0F0CUS 


ADVERTISING  SUPPLEMENT 


the  information  security  field  and  its 
members  understand  the  specific  is¬ 
sues  that  women  face.” 

The  EWF  and  Carnegie  Mel¬ 
lon  also  created  a  mentoring  pro¬ 
gram — Women@INI — for  women 
graduate  students  in  the  Information 
Networking  Institute.  The  program, 
in  its  first  year,  appears  to  be  a  great 
success.  “The  mentorship  program 
shows  our  students  the  many  facets 
and  exciting  future  of  information 
security,”  says  Tsamitis.  “It’s  im¬ 
portant  in  attracting  and  retaining 
women  in  the  field,  and  we  expect  it 
to  encourage  growth  as  well.” 

Expanding  the  Network 

As  the  membership  in  the  EWF 
grows,  the  organization  continues  to 
look  for  ways  to  expand  its  offerings. 
They  recently  held  successful  regional 
meetings  in  New  York  and  Washington, 
D.C.,  allowing  members  to  make  con¬ 
nections  and  develop  a  local  network 
in  a  time  of  cost  cutting  and  travel  re¬ 
strictions.  The  regional  meetings  are 
also  a  great  venue  for  mentoring  the 
next  generation  of  IT  leaders.  Mem¬ 
bers  are  encouraged  to  invite  other 
women  to  these  meetings — women  on 
their  team  or  from  elsewhere  in  their 
organization — and  other  women  who 
aren’t  yet  members. 

The  EWF  is  also  expanding  glob¬ 
ally.  While  working  on  an  assignment 
in  London,  Brocaglia  met  with  some 
women  who  suggested  that  travel¬ 
ing  to  the  U.S.  wasn’t  always  a  viable 
option  for  many  of  their  peers.  So, 
together  with  a  U.K. -based  advisory 
board  comprised  of  some  of  the  top 
CISOs  and  heads  of  risk  manage¬ 
ment  from  large  U.K.  corporations, 


the  EWF  is  now  planning  its  first  ma¬ 
jor  international  event,  to  be  held  in 
May  2009  in  London. 

“There  is  a  tremendous  amount 
of  energy  around  the  EWF  coming  to 
London,”  says  Lynn  Terwoerds,  head 
of  security  architecture  and  standards 
for  global  and  commercial  banks 
at  Barclays  Bank.  “Here  in  the  U.K. 
women  in  IT  have  the  same  issues  as 
those  in  the  United  States — wanting 
to  connect  in  a  meaningful  way,  both 
personally  and  professionally.  The 
EWF’s  successful  track  record  over 


the  years  has  helped  generate  excite¬ 
ment  here  for  this  event.” 

It’s  no  secret  that  the  business 
world  is  smaller  and  flatter  these  days; 
expanding  internationally  will  benefit 
all  EWF  members.  Multinational  cor¬ 
porations,  international  vendors  and 
clients,  and  the  variety  of  laws  and 
regulations  around  the  world  make 
the  global  security  environment  sig¬ 
nificantly  more  challenging  for  today’s 
executives.  By  expanding  abroad,  the 
EWF  gives  its  members  the  oppor¬ 
tunity  to  network  with  international 
colleagues — and  better  understand 
cross-border  security  and  technology 
issues,  national  and  regional  privacy 
regulations,  and  global  best  practices 
and  benchmarking. 


Coming  Soon: The 
EWF  Online  Community 

Whether  it’s  with  somebody 
around  the  corner  or  on  another 
continent,  networking  is  a  key  com¬ 
ponent  of  the  Executive  Women’s  Fo¬ 
rum.  To  help  facilitate  this,  an  online 
community  where  EWF  members 
can  share  ideas  with  each  other  will 
be  rolled  out  soon,  replete  with  rel¬ 
evant  and  timely  content,  research 
results,  white  papers  and  a  blog. 
“The  EWF  is  in  some  ways  indepen¬ 
dent  of  geography,”  says  Terwoerds. 


“It  doesn’t  matter  where  you  are  if 
you  make  a  strong  enough  connec¬ 
tion  and  we  can  benefit  from  sharing 
insights  and  best  practices  globally.” 

Networking,  conferences,  regional 
meetings,  global  expansion  and  an  on¬ 
line  community;  It’s  a  tremendous  re¬ 
source  for  executive  women  in  IT.  “I  go 
back  every  year,”  says  Dennedy.  “It’s  so 
good  to  surround  myself  with  women 
who  have  ‘been  there,  done  that.’” 

“It’s  an  amazing  reaffirmation  of 
who  you  are  as  a  woman  in  this  pro¬ 
fession,”  agrees  Darbyshire. 

It’s  about  growth  and  empower¬ 
ment,  about  making  connections, 
and  about  women  changing  the  face 
of  security  leadership — now  and  in 
the  future.  ■ 


Get  more  Online: 

For  more  information  about  the  Executive's  Women 
Forum,  please  visit  www.infosecuritywomen.com. 


“It’s  an  amazing  reaffirmation  of  who  you  are 
as  a  woman  in  this  profession.”  — Tara  Darbyshire 


CSOFOCUS  5 


CREDIBILITY 

With  22  years  of  experience  recruiting  in  the  security  and  controls  industry,  Alta  has 
established  a  successful  track  record  of  helping  companies  build  world-class  IT  Risk 
and  Information  Security  organizations. 

EXPERIENCE 

Alta's  executive  recruiters  are  industry  insiders  who  provide  expert  guidance  on  strategic 
hiring,  career  development,  and  certification  processes.  Depth  of  experience  and  industry 
focus  are  the  key  differentiators  that  set  us  apart. 

PROCESS 

Alta  utilizes  a  proven  process  of  defining  client  needs,  understanding  candidates'  strengths, 


ALTA’S  FOUNDER 
AND  CEO 

Information  Security  magazine  honored 
Alta’s  CEO  Joyce  Brocaglia  with  a 
“Women  ofVision’’  award,  naming  her 
one  of  the  25  most  influential  women 
in  the  industry.  She  is  a  frequent 
columnist,  a  sought-after  speaker;  and 
contributing  author  for  two  industry 
books,  C/SO  Leadership:  Essential 
Principles  for  Success  and  The  Slack 
Book  on  Corporate  Security.  Joyce 
also  founded  the  Executive  Women’s 
Forum  on  Information  Security, 

Privacy,  and  Risk  Management 
www.infosecuritywomen.com. 


and  aligning  the  two  in  a  way  that  can  substantially  strengthen  your  organization. 


STRATEGIC  PARTNER 

Alta  has  earned  the  reputation  of  strategic  partner  by  acting  as  an  extension  of  Human 
Resources.  Many  companies  rely  on  us  as  ongoing  advisors  for  industry  intelligence, 
contacts,  and  staffing. 


ACCESS 

Alta's  recruiters  have  unparalleled  access  to  the  industry's  best  professionals.  We  can 
deliver  qualified  and  certified  candidates — from  top-tier  executives  to  the  staffs  that 
support  them — with  a  high  ratio  of  resumes  presented  to  successful  hires. 


Specialists  in  executive  recruitment 
for  over  20  years. 


ASSOCIATES 

specialists  in  executive  recruiting 


8  Bartles  Corner  Road,  Flemington,  Nj  08822  •  P:  908.806.8422  •  www.altaassociates.com 


ADVERTISING  SUPPLEMENT 


Alta  Associates 


At  the  Helm  of 


Alta  Associates  raises 
bar  on  profession, 
business  growth  and 
human  capital 


Recruitment 


For  more  than  two  decades,  Alta  Associates  has  played  a 
strategic  role  in  partnering  with  global  enterprises  to  build 
risk-resilient  organizations.  Widely  recognized  as  the  leading 
recruitment  firm  specializing  in  information  security  and  IT 
risk  management,  Alta  is  known  for  its  ability  to  identify  and 
deliver  top-tier  executives  and  the  teams  that  support  them. 


As  information  security  and  IT  risk 
management  has  evolved  as  a  profes¬ 
sion,  the  demands  placed  on  its  execu¬ 
tives  and  the  skills  required  to  be  suc¬ 
cessful  have  become  more  complex. 

“Companies  are  asking  us  to  find 
a  new  breed  of  information  security 
and  risk  officers,”  says  Joyce  Bro- 
caglia,  CEO,  Alta  Associates.  “Spe¬ 
cifically,  they’re  asking  for  business- 
savvy  leaders  focused  on  people  and 
processes  as  much  as  the  underlying 
technologies  that  companies  rely  on 
to  secure  their  organizations.” 

Alta’s  team  of  seasoned  recruiters 
has  acquired  a  profound  practical 
knowledge  of  these  new  require¬ 
ments  and  an  understanding  of  those 
professionals  who  are  most  likely  to 
succeed. 

For  instance,  Alta  knows  informa¬ 
tion  security  and  risk  officers  add  the 
most  value  when  they  understand 
clearly  the  businesses  they  support 
and  how  their  efforts  enhance  their 
company’s  bottom  line. 


And  the  most  successful  candi¬ 
dates  know  that  being  adaptive  and 
working  with  the  right  people  to 


understand  common  objectives  and 
achieve  extraordinary  goals  is  equal¬ 
ly,  if  not  more,  important  than  the 
technology  itself. 

Alta’s  success  in  its  work  build¬ 
ing  world-class  organizations  comes 
from  a  solid  foundation  comprised 
of  effective  partnerships,  intuitive 
industry  knowledge  and  an  extensive 
network  of  close  relationships. 

“Alta’s  recruiters  are  recognized  as 


0  specialists  in  executive  recruiting 


industry  insiders  who  provide  valuable 
guidance  on  hiring  and  career  devel¬ 
opment  trends  to  our  clients  and  can¬ 
didates,”  says  Brocaglia.  “We  advise  our 
clients  on  how  to  position  themselves 
and  help  them  attract  and  retain  the 
best  talent  in  this  dynamic  industry.” 

Alta  Associates  doesn’t  just  fill 
jobs;  it  acts  as  a  strategic  partner 
and  trusted  advisor  to  clients.  Of¬ 
ten  sought  after  to  fill  the  most  dif¬ 


ficult  jobs  in  the  security  industry, 
Alta  has  played  a  key  role  in  building 
corporate  information  security  or¬ 
ganizations,  developing  professional 
services  practices,  and  growing  secu¬ 
rity  product  startups  throughout  the 
United  States. 

Information  security  profession¬ 
als  devote  considerable  time  and  en¬ 
ergy  toward  enhancing  their  skills. 
Alta’s  clients  and  candidates  realize 
the  benefits  of  partnering  with  a  firm 
that  has  devoted  that  same  level  of 
commitment  toward  helping  indi¬ 
viduals  and  organizations  achieve 
their  professional  goals.  ■ 


“In  an  industry  where  trust  cannot  be  bought  or 
established  lightly,  Alta  Associates  has  earned  a 
reputation  for  good  work,  with  their  deep 
understanding  of  the  industry  and  all  of  its  nuances. 

— Amit  Yoran,  CEO,  NetWitness,  former  national  cyber  security  chief 


CSOFOCUS  7 


ADVERTISING  SUPPLEMENT 


CA,  Inc. 


Reduce  the  Cost  of 
Compliance  in  Today’s 
Global  Economy  Using 


Identity  and  Access 

Management 

Technology 


Today  -  a  full  six  years  after  Sarbanes-Oxley  (SOX)  was 
enacted  in  the  United  States  -  complying  with  various  regula¬ 
tory  mandates  is  still  a  burden  on  an  organization’s  IT  depart¬ 
ment.  At  the  same  time,  the  global  economy  has  increased  the 
compliance  load  by  imposing  additional  regulatory  mandates 
specific  to  individual  countries.  In  fact,  the  cost  of  comply¬ 
ing  with  just  13  common  worldwide  regulations  increased  an 
average  of  44  percent  over  the  past  year  as  reported  by  com¬ 
panies  across  North  America,  Europe,  Central  and  South 
America,  and  Asia  Pacific.*  As  compliance  issues  continue  to 
challenge  organizations  from  a  cost  and  productivity  perspec¬ 
tive,  it  is  important  to  look  at  compliance  processes  -  partic¬ 
ularly  those  related  and  supported  by  security  -  and  develop 
repeatable  processes  that  can  be  automated  to  reduce  costs. 


Reactive,  Manual  Processes 
=  High  Costs  and  Deja  vu 
for  Every  Audit 

Businesses  initially  responded  to 
regulatory  changes  in  a  reactive,  “all 
hands  on  deck”  fashion  establishing 
crash  teams,  diverting  key  person¬ 


nel  to  deal  with  compliance  issues  as 
they  arose,  and  frantically  rewriting 


procedures  and  processes  in  response 
to  each  auditor’s  compliance  evalu¬ 
ation. 

The  harried  response  was  justi¬ 
fied.  A  SOX  violation  had  potentially 
business  crippling  penalties  ranging 
from  the  loss  of  a  company’s  ex¬ 
change  listing  and  fines  of  up  to  $5 
million  to  imprisonment  of  execu¬ 
tive  officers. 

More  often  than  not,  evaluation  of 
compliance  was  done  manually,  one 
audit  at  a  time  using  spreadsheets. 
That  approach  worked  for  most  orga¬ 
nizations,  but  only  at  a  prohibitively 
high  cost  in  terms  of  both  direct  ex¬ 
pense  and  lost  opportunity. 

There  is  little  opportunity  to  re¬ 
duce  effort  or  costs  while  companies 
are  stuck  in  a  reactive  cycle.  Instead, 
the  costs  continue  to  increase  as  key 

*  The  survey,  commissioned  by  CA  and  con¬ 
ducted  by  Beacon  Technology  Partners,  rep¬ 
resents  feedback  from  600  IT  executives  at 
large  and  midsize  enterprises  in  the  North 
America,  Europe,  Asia-Pacific,  and  Central 
and  South  America  regions. 


CSOFOCUS 


ADVERTISING  SUPPLEMENT 


personnel  are  diverted  from  their 
primary  tasks  to  perform  manual 
reconciliations  of  conflicting  com¬ 
pliance  data,  and  business  opera¬ 
tions  are  interrupted  to  implement 
emergency  “fixes”  to  bring  existing 
business  process  into  compliance. 
Redundant  efforts  often  result  as  sev¬ 
eral  departments  gather  and  report 
on  the  same  compliance  information 
for  the  various  global  regulations, 
further  impacting  productivity. 

Identity  and  Access 
Management  Technology 
Automates  Processes  to 
Help  Ease  Compliance 

Smart  organizations  are  taking 
compliance  a  step  further  and  real- 


of  security  processes.  Identity  and 
Access  Management  (IAM)  technol¬ 
ogy  can  help  address  those  elements 
and  answer  security  questions  such 
as  “Who  has  access  to  what?”  “Who 
can  do  what?”  and  “Who  approved 
what?”  to  help  detect  security  policy 
or  compliance  violations. 

Examples  of  security  compliance 
violations  can  range  from  improper 
segregation  of  duties  to  “orphan”  or 
inactive  accounts.  A  good  IAM  solu¬ 
tion  is  not  only  able  to  report  and  au¬ 
dit  to  uncover  those  violations,  but  it 
can  proactively  manage  the  identity 
lifecycle  of  an  organization’s  employ¬ 
ees,  partners  or  customers  and  help 
prevent  security  compliance  viola¬ 
tions  in  the  first  place. 


controls  keep  unauthorized  people 
out,  but  they  also  make  it  easier  to  let 
the  right  people  in.  Authorized  users 
—  including  employees  and  business 
partners  —  can  get  to  information 
more  quickly.  This  can  increase  the 
effectiveness  of  the  organization  as 
a  whole  because  they  can  have  better 
access  to  information.  Effective  IAM 
can  help  make  companies  more  agile 
and  able  to  respond  faster  and  more 
effectively  to  the  changing  business 
by  making  information  more  readily 
available. 

Regulatory  burdens  aren’t  going 
away,  and  the  companies  that  will 
be  most  successful  will  be  those  who 
can  convert  those  requirements  into 
opportunities  to  be  more  efficient, 


Companies  can  assemble  a  large  team  of  people  for 
compliance  and  make  it  work  but  this  is  a  drain  on 
resources.  Real  success  lies  in  compliance  on  a  continuous, 
sustainable  basis,  and  reducing  its  costs  over  time. 


izing  real  business  advantage  from 
compliance  mandates  by  automating 
security  compliance  processes  to  im¬ 
prove  their  overall  security  posture. 
In  fact,  effective  handling  of  compli¬ 
ance  processes  has  become  a  success 
indicator  for  business. 

The  key  to  preventing  the  cost 
of  compliance  from  spiraling  out 
of  control  and  impacting  employee 
productivity  is  to  achieve  a  state  of 
sustainable  compliance.  This  requires 
a  process-centric  platform  that  ad¬ 
dresses  the  three  elements  of  secu¬ 
rity  compliance:  IT  security  controls, 
proof  of  compliance,  and  automation 


IAM  technologies  also  can  help 
automate  processes  and  minimize 
manual  tasks  and  the  use  of  spread¬ 
sheets.  IAM  reporting  can  enable  or¬ 
ganizations  to  pull  audit  reports  that 
not  only  tap  into  multiple  platforms, 
but  also  can  highlight  what  a  user  did 
and  what  the  user  has  the  ability  to 
do.  Discrepancies  in  those  reports  for 
an  individual  indicate  a  clear  compli¬ 
ance  violation. 

In  addition  to  the  cost-savings 
realized  when  using  IAM  technol¬ 
ogy  to  help  automate  compliance 
processes,  organizations  gain  ad¬ 
ditional  operational  benefit.  Strong 


more  agile  and  more  effective.  IAM 
solutions  can  provide  the  foundation 
for  that  success.  ■ 


Bernadette  Nixon  is  a  CA  senior  vice 
president  and  general  manager  of 
Northeast  U.S.  and  country  manager 
of  Canada  for  CA,  Inc. 

CA  (NASDAQ:  CA)  is  the  world's  leading  independent 
IT  management  software  company.  With  CA's  Enter¬ 
prise  IT  Management  (EITM)  vision  and  expertise, 
organizations  can  more  effectively  govern,  manage 
and  secure  IT  to  optimize  business  performance  and 
sustain  competitive  advantage.  For  more  informa¬ 
tion,  visit  www.ca.com.  CA  offers  complete  security 
management  solutions  to  protect  a  businesses  criti¬ 
cal  assets,  achieve  sustainable  compliance,  reduce 
IT  administration  costs  and  enable  new  business 
opportunities. 


CSOFOCUS  9 


Trustworthy  Computing 


Creating  a  More  Trusted  Internet 

By  Scott  Charney,  Corporate  Vice  President,  Trustworthy  Computing,  Microsoft  Corp. 


Imagine  what  the  Internet  could  be  if  everyone  had  a  more  secure  and 
privacy-enhanced  experience,  an  Internet  where  devices  and  software 
enable  people  to  make  more  effective  choices  about  who  and  what 
they  trust  in  their  online  interactions. 


It  is  not  an  overstatement  to  say  that  the  Internet  has  transformed  the  way  we  live. 
Social  networking  represents  the  new  town  square;  blogging  has  turned  citizens  into 
journalists;  and  e-commerce  sites  have  spurred  global  competition  in  the  marketplace. 
But  with  people  of  all  ages  flocking  online,  and  with  the  proliferation  of  high-profile, 
targeted  attacks  on  individual  or  organizational  information,  assets  and  identities,  more 
and  more  people  consider  the  lack  of  security  and  privacy  on  the  Internet  to  be  at  an 
unacceptable  level. 

My  introduction  to  cybercrime  occurred  in  1991,  when  my  career  as  a  criminal  prosecutor 
took  a  surprising  turn:  I  was  tasked  by  the  United  States  Department  of  Justice  to  focus 
on  cybercrime.  As  a  lawyer,  I  was  trained  to  study  past  cases  and  apply  the  rule  of  law 
to  the  facts  at  hand.  But  here  I  was  on  the  electronic  frontier  with  no  precedent,  no 
guidance,  and,  as  a  prosecutor,  I  was  challenged  by  the  global  connectivity,  anonymity, 
and  lack  of  traceability  that  the  Internet  provided  to  cybercriminals.  In  the  years  that 
followed,  I  worked  on  amending  computer  crime  laws,  developing  guidelines  for 
searching  and  seizing  computers,  brokering  new  international  agreements  to  combat 
cybercrime,  and  understanding  the  intersection  of  security  and  privacy  (I  was  on  the 
Clinton  administration's  Privacy  Working  Group  and  served  as  vice  chair  of  the  OECD 
Expert  Group  on  Security  and  Privacy). 

In  March  2002, 1  was  hired  by  Microsoft  Corp.  to  be  its  chief  security  strategist.  My 
assignment  was  to  focus  on  the  security  (and  later  privacy  and  reliability)  of  Microsoft's 
products  and  services,  but  I  soon  realized  that  my  thinking  was  too  narrow.  It  was  not 
just  about  protecting  our  customers,  but  protecting  everyone;  even  someone  without 
a  computer  was  dependent  upon  computers  at  his  or  her  bank  or  telecommunications 
provider,  or  in  his  or  her  government.  I  realized  that  I  was  once  again  responsible  for 
public  safety;  but  in  the  private  sector. 

During  my  17  years  of  security  and  privacy  work,  the  Internet  and  its  uses  have  grown 
dramatically.  Indeed,  the  Internet  has  had  a  positive  impact  on  many,  many  aspects  of 
our  society,  but  greater  global  connectivity  combined  with  the  increasingly  valuable 
information  stored  online  has  resulted  in  a  new  array  of  threats  and  an  increase  in 
cybercrime.  It  has  become  increasingly  clear  that  if  cybercriminals  remain  anonymous 
and  untraceable,  there  will  be  no  meaningful  accountability  for  online  crime  and  little 
by  way  of  deterrence.  In  the  physical  world,  we  have  effective  proactive  measures  (locks 
and  keys,  community  watch,  law  enforcement  patrols)  and  effective  reactive  measures 
(arrests  and  prosecutions).  Many  crimes  are  prevented,  and  many  crimes  are  solved. 
But  the  Internet  is  different.  Despite  improvements  in  effective  proactive  measures, 


Join  the  Dialogue 

■  Public  Policy:  How  should  we 
enhance  security  on  the  Internet 
while  supporting  social  values 
such  as  privacy  and  anonymity? 

■  Technology  Innovation:  How 
do  we,  and  how  should  we, 
build  a  Trusted  Stack  that 
enables  a  safer,  more  Trusted 
Internet? 

■  Economic:  How  do  we  create 
economic  incentives  to  drive  a 
more  secure,  and  privacy- 
enabled  Internet? 

www.microsoft.com/ 

endtoendtrust 


criminals  are  not  held  accountable  for  their  actions  and  are  increasingly  emboldened. 
If  we  want  the  Internet  to  reach  its  full  potential,  we  need  a  safer,  more  trusted  online 
environment. 

To  that  end  Microsoft  and  other  companies  continue  to  make  progress  on  security  and 
privacy  issues.  For  six  years,  and  as  a  result  of  our  focus  on  Trustworthy  Computing 
(www.microsoft.com/twc),  Microsoft  has  made  significant  progress  toward  improving 
the  security  and  privacy  of  our  products  and  services.  We  embraced  the  Security 
Development  Lifecycle,  as  well  as  defense  in  depth  and  threat  mitigation  technologies. 
Along  with  our  industry  partners,  we  continue  to  build  a  more  secure,  private  and 
reliable  computing  experience.  But  Microsoft  and  the  technology  industry  alone  cannot 
create  a  trusted  online  experience.  For  that  to  happen,  industry  must  not  only  band 
together  but  must  work  with  customers,  partners,  governments  and  other  important 
constituencies  on  a  road  map  for  taking  Trustworthy  Computing  to  the  Internet. 

We  believe  there  are  three  key  pieces  to  creating  greater  trust  on  the  Internet.  The  first 
is  creation  of  a  trusted  stack  where  security  is  rooted  in  hardware  and  where  each 
element  in  the  stack  (hardware,  software,  data  and  people)  can  be  authenticated  in 
appropriate  circumstances.  The  second  piece  involves  managing  claims  relating  to 
identity  attributes.  We  need  to  create  a  system  that  allows  people  to  pass  identity  claims 
(sometimes  a  full  name  perhaps,  but  at  other  times  just  an  attribute  such  as  proof  of 
age  or  citizenship).  This  system  must  also  address  the  issues  of  authentication, 
authorization,  access  and  audit.  Finally  we  need  a  good  alignment  of  technological, 
social,  political  and  economic  forces  so  that  we  make  real  progress.  The  goal  is  to  put 
users  in  control  of  their  computing  environments,  increasing  security  and  privacy,  and 
preserving  other  values  that  we  cherish  such  as  anonymity  and  freedom  of  speech. 

The  opportunity  is  now.  Some  serious  issues,  such  as  botnets,  ID  theft  and  child  safety, 
have  served  to  focus  people's  attention  on  security  and  privacy  issues.  Some  important 
technologies,  such  as  public  key  infrastructure  (PKI)  and  smart  cards,  are  now  mature 
enough  for  broad  deployment.  Some  important  debates,  such  as  how  to  achieve  more 
security  and  more  privacy  instead  of  trading  one  for  the  other,  have  led  to  new  thinking 
about  how  we  can  create  a  more  secure  and  privacy-enhanced  Internet.  And  we  have 
learned  through  past  experience  how  to  align  technology,  social  forces,  political  will 
and  market  dynamics  to  achieve  great  progress  on  important  issues,  just  as  we  have 
learned  why  important  efforts  sometimes  fail. 

Microsoft  would  like  to  ask  all  who  care  about  online  safety  to  join  in  a  robust  and 
meaningful  discussion  about  building  a  more  trusted  Internet.  To  facilitate  the  dialogue, 
we  have  provided  a  white  paper  describing  End  to  End  Trust,  Microsoft's  proposed 
vision  to  help  create  a  more  trusted  Internet.  We  invite  everyone  to  read  this  white 
paper,  posted  on  www.microsoft.com/endtoendtrust,  and  join  the  dialogue  through 
our  discussion  forums. 

A  more  trusted  Internet  is  good  for  our  business  and  for  our  customers,  but  the  paper 
also  reflects  Microsoft's  sense  of  corporate  and  social  responsibility,  values  that  we  know 
are  shared  by  others  in  the  Internet  community.  So  in  the  coming  months,  we  will  share 
our  thoughts  about  the  feedback  we  received  as  part  of  this  dialogue.  We  will  see  if 
there  is  consensus  on  what  a  more  trusted  Internet  might  look  like  and  how  such  a 
vision  could  be  achieved  and  share  with  you  Microsoft's  next  steps  toward  establishing 
End  to  End  Trust. 


“...if  we  want  the 
Internet  to  reach  its 
full  potential,  we 
need  a  safer,  more 
trusted  online 
environment.  ” 


Read  the 
whitepaper 

Join  the  dialogue 

Go  to  Microsoft’s  End 
to  End  Trust  fontm 
and  let  your  voice 
be  heard. 

www.microsoft.com/ 

endtoendtrust 


Microsoft 


©  2008  Microsoft  Corporation.  All  rights  reserved. 

This  Statement  of  Purpose  is  for  informational  purposes  only.  MICROSOFT  MAKES  NO  WARRANTIES, 
EXPRESS  OR  IMPLIED,  IN  THIS  SUMMARY.  Microsoft  is  a  trademark  of  the  Microsoft  group  of  companies. 

All  other  trademarks  arc  properly  of  their  respective  owners. 


>>  BRIEFING 


FLAW  WATCH 

The  DNS  Crisis 
Of  2008 

It’s  been  a  longtime  since  the 
alarm  bell  sounded  as  loudly  as 
it  did  after  details  of  a  serious 
DNS  flaw  were  released 

here  was  plenty  of  panic  this  summer 
over  a  massive  flaw  in  the  domain 
name  system  (DNS)  software  used  to 
route  messages  between  computers 
on  the  Internet.  And  the  fallout  continues. 

It  all  started  in  July  when  lOActive 
researcher  Dan  Kaminsky  announced  he 
had  discovered  the  flaw  and  had  worked 
behind  the  scenes  with  all  the  affected 
vendors  on  a  patch.  His  plan  was  to  release 
full  details  of  the  flaw  at  the  Black  Hat  USA 
2008  Briefings  and  Training  conference  in 
Las  Vegas  in  early  August,  but  researchers 
at  security  company  Matasano  spilled  the 
beans  early  in  a  posting  on  its  popular  blog. 

Kaminsky  had  worked  for  several 
months  with  major  providers  of  DNS 
software  such  as  Microsoft,  Cisco  and  the 


Internet  Systems  Consortium  to  develop 
a  fix  for  the  problem.  The  corporate  users 
and  Internet  service  providers  (ISPs)  who 
are  the  major  users  of  DNS  servers  had 
been  working  since  July  8  to  patch  the  flaw, 
but  many  had  not  yet  installed  the  fix  on  all 
DNS  servers  by  the  time  Matasano  revealed 
the  details.  Then,  at  Black 
Hat,  Kaminsky  demonstrated 
that  the  attack  potential  was 
worse  than  first  thought. 

The  attack  that  could  be 
launched  via  the  DNS  flaw  is 
a  variation  on  what’s  known 
as  a  cache  poisoning  attack. 

It  has  to  do  with  the  way  DNS 
clients  and  servers  obtain 
information  from  other  DNS 
servers  on  the  Internet.  When 
the  DNS  software  doesn’t 
know  the  numerical  IP 
(Internet  protocol)  address 
of  a  computer,  it  asks  another  DNS  server 
for  this  information.  With  cache  poisoning, 
the  attacker  tricks  the  DNS  software  into 
believing  that  legitimate  domains,  such  as 
lDG.com,  map  to  malicious  IP  addresses. 

In  Kaminsky’s  attack,  a  cache  poison¬ 
ing  attempt  also  includes  what  is  known 


as  “additional  resource  record”  data.  By 
adding  this  data,  the  attack  becomes  much 
more  powerful.  An  attacker  could  launch 
such  an  attack  against  an  ISP’s  domain 
name  servers  and  then  redirect  them  to 
malicious  servers.  Although  a  software 
fix  is  now  available  for  most  users  of  DNS 
software,  it  can  take 
time  for  these  updates 
to  get  installed  on  the 
network.  So  it  was  even 
more  unwelcoming  when 
attack  code  was  cooked 
up  and  released  via  the 
Metasploit  Framework 
security  development 
platform. 

“Now  that  the  exploit 
is  out  there,  combined 
with  the  fact  that  not 
all  DNS  servers  were 
upgraded...attack- 
ers  should  be  able  to  poison  the  cache  of 
some  ISPs,”  Amit  Klein,  chief  technology 
officer  with  Trusteer,  said  at  the  time.  “We 
may  never  know  about  such  attacks,  if  the 
attackers  work  carefully  and  cover  their 
tracks  properly." 

-Robert  McMillan 


Dan  Kaminsky 


DNS 

Flaw 

Worth 

the 

Worry 

y  now,  you’ve  probably 
seen  a  lot  of  headlines 
concerning  the  security 
hole  lOActive  researcher 
Dan  Kaminsky  discovered  in  the 
Internet’s  domain  name  system 
(DNS). 

You’ve  no  doubt  seen  a  lot  of 
alarming  reaction  to  go  with  it, 
and  in  this  case  it  may  be  justified 
This  flaw  affects  essentially  the 
spine  of  the  Internet,  and  those 


who  fail  to  patch  it  are  taking  a 
big  risk. 

As  my  colleague  Robert 
McMillan  reported,  the  potential 
reach  of  this  flaw  is  huge. 

“By  sending  certain  types  of 
queries  to  DNS  servers,  the 
attacker  could  then 
redirect  victims 
away  from  a 
legitimate 
website  to  a 
malicious  web¬ 
site  without  the 
victim  realizing 
it.  It  could  be 
used  to  redirect 
all  Internet  traffic  to 
the  hacker’s  servers,”  he 
reported. 

Though  I’m  jumping  on  the 
alarm  bell  with  everyone  else 
this  time,  security  pros  should 


resist  the  urge  to  lash  out  at  the 
researchers  who  brought  this 
problem  to  light.  As  bad  as  it  is, 
the  researchers  deserve  credit 
for  trying  to  handle  this  one 
responsibly. 

Kaminsky  discovered  the 
flaw  some  time  ago  but 
waited  until  all  the 
affected  vendors 
could  develop 
a  patch  before 
he  disclosed  it 
publicly.  This 
took  a  lot  of 
discipline  on  his 
\  part,  since  the  urge 
to  disclose  a  big  find 
is  usually  irresistible  for  a 
researcher. 

I  even  give  credit  to  the  folks 
at  Matasano  Security  for  taking 
responsibility  after  they  acciden¬ 


tally  spilled  the  details.  Mata- 
sano’s  Tom  Ptacek  apologized  to 
Kaminsky  in  the  Matasano  blog. 

“We  regret  that  it  ran,”  he 
wrote.  “We  removed  it  from  the 
blog  as  soon  as  we  saw  it.  Unfor¬ 
tunately,  it  takes  only  seconds  for 
Internet  publications  to  spread.” 

I’ve  seen  researchers  spill 
details  like  this  in  the  past,  only 
to  take  a  self-righteous,  defensive 
tone-bloviating  about  the 
importance  of  full  disclosure  as 
if  releasing  the  full  recipe  for  an 
attack  were  really  in  a  company’s 
best  interests. 

Instead,  Ptacek  took  responsi¬ 
bility  and  did  so  with  class. 

There  were  mistakes  in  the 
handling  of  this,  for  sure,  but  at 
least  everyone  tried  to  do  the 
right  thing. 

-Bill  Brenner 


14  www.csoonline.com  September  2008 


Photo  by  Quinn  Norton 


I  am  fearless. 


I  believe  loyalty  is  built  on  trust, 
not  just  on  technology. 

I  inspire  confidence. 

I  build  our  brand. 


I  am  fearless” 


I  secure  customer  identities  and 
assets  for  a  global  bank. 


I  offer  my  customers  protection 
in  the  online  channel. 


Protect  Customer  Identities.  When  it  comes  to  security,  most  businesses  understand  what  it  means  to  fail. 

But  few  can  imagine  what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions  can 
move  your  business  forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of 
the  Fortune  500.  Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/peak  The  Security  Division  of  emc 

Secure  Anytime  Protect  Secure  Manage  Compliance 

Anywhere  Access  Customer  Identities  Enterprise  Data  and  Security  Information 

©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


>>  BRIEFING 


SECURITY 

WISDOM 

WATCH 

This  month,  we  focus  on  all  the 
hoopla  surrounding  the  DNS  flaw 
and  exploits  that  followed.  Much 
has  been  made  about  how  the 
researchers,  vendors  and  security 
media  handled  this.  Here's  our  take: 

Dan  Kaminsky:  He  discovered 
the  DNS  flaw  weeks  ago  but 
kept  it  under  his  hat  while 
working  to  ensure  the  affected 
vendors  had  a  fix  in  place.  He 
could  have  cashed  in  early  on  a  wave  of 
publicity,  and  some  have  criticized  him 
for  not  going  public  sooner.  We  think 
he’s  one  of  the  few  researchers  who 
truly  believe  in  responsible  disclosure. 

Larger  hacking  community: 

Those  who  suggest  a  flaw  as 
big  as  this  should  have  been 
revealed  from  the  beginning, 
when  no  vendor  patches  were 
available,  were  being  foolish.  It  would 
be  great  for  malicious  code  writers, 
terrible  for  those  trying  to  secure  their 
company  networks. 

Tom  Ptacek:  The  Matasano 
Security  principal  blundered 
by  spillingthe  DNS  flaw  details 
early  on  his  company  blog  and 
apologized  hours  later.  He  could 
have  played  the  self-righteous  card 
and  bloviated  about  how  Matasano 
was  advocating  full  disclosure.  Instead, 
he  did  something  classy  and  took 
responsibility  for  a  mistake. 

Security  blogosphere:  This 
saga  has  revealed  the  best 
and  worst  of  the  security 
blogosphere.  Some 
chose  to  spew  unwar¬ 
ranted  alarm.  But  many 
more  used  their  blogs  to 
dispense  responsible  tips  for  getting 
through  the  DNS  crisis. 


A  CRIME  WORSE  THAN  SPAM 


Fugitive  Spam  King  Dead  in 
Apparent  Murder-  Suicide 

AFTER  ESCAPING  from  a  federal  minimum-security 
prison  camp,  convicted  spammer  Eddie  Davidson  killed 
himself,  apparently  after  murdering  his  wife  and  three- 
year-old  daughter. 

Davidson  had  been  a  fugitive  from  the  law  since 
walking  away  from  the  prison  camp  in  Florence,  Colo., 
in  July.  He  had  been  serving  a  21-month  sentence  after 
pleading  guilty  to  criminal  spam  charges  late  last  year. 

Another  person,  a  teenage  girl,  according  to  local 
reports,  was  shot  but  survived  the  incident.  Authorities 
also  found  an  infant,  unharmed,  at  the  scene  of 
the  shooting. 

Davidson’s  wife  had  been  in  the  car  with  him  when 
he  left  the  Florence  prison,  about  45  miles  south  of 
Colorado  Springs.  He  had  last  been  seen  in  Lakewood, 
Colo.,  where  he  got  a  change  of  clothes  and  cash,  according  to  the  Department 
of  Justice. 

Known  as  the  Colorado  “Spam  King,”  Davidson  earned  millions  of  dollars 
between  2003  and  2006  by  operating  a  spamming  operation,  called  Power  Pro¬ 
moters,  out  of  his  home. 

He  would  change  the  header  information  in  his  messages  to  make  it  appear  as 
if  they  had  come  from  legitimate  companies,  such  as  AOL,  and  then  send  them 
out  to  hundreds  of  thousands  of  addresses. 

Davidson  sent  the  messages  on  behalf  of  an  unnamed  Houston  company, 
court  filings  state.  He  was  asked  to  promote  about  19  penny-stock  companies, 
including  one  called  Advanced  Power  Line  Technologies,  in  2006  and  2007.  He 
would  earn  fees  based  on  the  trading  volume  of  the  stocks  he  was  promoting. 

The  business  was  lucrative:  The  Houston  company  paid  Davidson  about  $1.4 
million  for  his  services,  court  documents  state. 

Between  2003  and  2006,  when  his  primary  source  of  income  was  spam,  bank 
account  deposits  into  Davidson’s  account  totaled  about  $3.5  million. 

“What  a  nightmare,  and  such  a  coward,”  said  U.S.  Attorney  Troy  Eid.  “David¬ 
son  imposed  the  ‘death  penalty’  on  family  members  for  his  own  crime.” 

-Robert  McMillan 


STANDARDS 

Changes  Ahead 
for  SAS  70 

The  auditing  standard 
may  be  getting  a  face-lift 
to  better  fit  the  times 

he  conventional  wisdom  of  recent 
years  is  that  security  must  be 
approached  as  a  business  function 
rather  than  a  separate,  distracting 
entity. 

As  such,  security  organizations  must 
start  collaborating  with  groups  outside 
the  security  realm,  according  to  Marios 
Damianides,  a  partner  in  Ernst  &  Young's 
technology  and  security  risk  services 
group  and  past  president  of  ISACA’s  board 
of  directors. 

An  example  of  that  convergence  is  an 


impending  update  of  the  SAS  70  auditing 
standard. 

Damianides  confirmed  in  a  recent 
interview  that  SAS  70  is  being  revised  as  a 
broader  tool.  “Talks  are  happening  around 
the  idea  of  creating  general-purpose 
SAS  70s,  where  you  could  define  to  some 
extent  the  environment  you’ll  be  auditing 
against  and  then  design  and  test  that 
environment,”  he  says.  “This  could  apply 
to  security.” 

He  says  companies  need  to  show 
customers  that  their  security  environment 
is  sound,  and  a  general-purpose  SAS  70 
would  define  the  security  environment  and 
the  controls  that  would  be  audited. 

“I  also  believe  SAS  70  will  be  more 
closely  aligned  with  ISO  17799  (the  interna¬ 
tional  standard  code  of  practice  for  infor¬ 
mation  security  management)  over  time  to 
reflect  the  growing  convergence  between 
them,”  Damianides  says. 

-Bill  Brenner 


16  www.csoonline.com  September  2008 


Photo  by  AP  ImagesPworldwide 


EXECUTIVE 

VIEWPOINT 


ADVERTISEMENT 


Empowering  Users  Within 
Secure  Systems 

Mitigate  risk  wMe  streamlining  operations 

Bert  Sugayan 

PRESIDENT,  OXFORD  COMPUTER  GROUP,  NORTH  AMERICA 

Bert  Sugayan  is  responsible  for  the  North  American  operations  of  Oxford 
Computer  Group,  a  global  systems  integrator  specializing  in  .NET  identity  and 
access  (IDA)  solutions. 


Managing  the  lifecycle  and  access 
privileges  of  digital  identities  presents  con¬ 
siderable  challenges.  High  administrative 
overheads,  increased  security  risks,  regula¬ 
tory  compliance  breakdowns,  and  the 
inability  to  effectively  deploy  new  business 
initiatives  are  just  a  few.  An  identity  and 
access  management  solution  automates 
the  process  so  that  the  right  people  inside 
and  outside  your  organization  have  access 
to  the  right  systems  at  the  right  time. 

Why  did  Microsoft  choose  Oxford 
Computer  Group  as  its  Partner  of  the 
Year  for  Advanced  Infrastructure  Solu¬ 
tions,  Active  Directory? 

Oxford  Computer  Group  was  the  first 
systems  integrator  to  build  a  business 
focusing  exclusively  on  providing  Micro¬ 
soft  directory  and  identity  management 


What  are  the  biggest  benefits 
your  customers  derive  from 
adopting  an  IDA  solution? 

Identity  Lifecycle  Management  boosts 
efficiency  by  integrating  disparate  sys¬ 
tems  within  existing  infrastructures  to 
automate  and  centralize  identity  lifecycle 
processes  and  tools— for  example,  compa¬ 
nies  that  need  to  integrate  cross-border  as 
a  result  of  mergers  and  acquisitions.  Au¬ 
thentication  solutions  improve  security 
with  complex  passwords,  multifactor  au¬ 
thentication,  certificate  management  and 
audit  capabilities.  Federation  enhances 
collaboration  and  operational  efficiency 
by  building  secure  and  efficient  connec¬ 
tions  within  and  across  organizations. 
Information  protection  ensures  that  only 
the  right  people  in  the  right  roles  within 


“Authentication  solutions  improve  security 
with  complex  passwords,  multifactor 
authentication  and  audit  capabilities.” 


consulting  and  training  services.  The  Part¬ 
ner  of  the  Year  recognition  specifically 
acknowledged  Oxford  Computer  Group’s 
contributions  in  helping  Microsoft  de¬ 
velop  and  implement  its  Windows  Live@ 
edu  offering,  which  enables  colleges  and 
universities  to  offer  free  email  accounts 
and  other  services  to  their  students  and 
alumni.  The  Live@edu  program  uses 
Microsoft’s  Identity  Lifecycle  Manager 
(ILM)  application  to  provision  Hotmail 
and  Exchange  accounts  from  a  college’s 
student  directory,  and  provides  authenti¬ 
cation  and  synchronization  capabilities  to 
provide  security  and  to  seamlessly  update 
changes  to  any  information. 


an  organization  have  appropriate  access 
to  information. 

How  do  your  customers  sell  their  top 
management  on  the  value  of  your 
products  and  services? 

Oxford  Computer  Group  authored  the 
original  Microsoft-certified  courseware  for 
Microsoft  Identity  Integration  Server  (now 
ILM),  and  has  trained  more  than  3,000 
people  worldwide  on  these  technologies— 
including  most  of  our  competitors  and  Mi¬ 
crosoft  itself.  No  company  has  deployed 
more  Microsoft  engagements  than  Oxford 
Computer  Group.  As  a  result,  we  enjoy 
a  very  strong  reputation  as  the  industry 
experts.  The  overall  licensing  costs  are 


substantially  lower  than  the  competition's, 
and  the  product’s  inherent  flexibility  and 
agility  allow  us  to  provide  “quick  wins”  for 
our  customers  with  demonstrable  ROI  to 
show  to  their  management. 

What  changes  and  challenges  are  on 
the  horizon  for  identity  and  access,  and 
what  are  you  currently  recommending 
to  your  clients? 

In  the  short  term,  Microsoft  is  rolling  out 
its  next  release  of  ILM  in  the  spring  of 
2009-  The  features  and  functionality  of 
this  next  release  offer  much  more  right 
out  of  the  box  than  the  current  version, 
such  as  codeless  provisioning,  a  Share- 
Point-based  user  portal,  better  reporting 
functionality  and  built-in  workflows. 
Whether  to  upgrade,  and  when,  is  a  ques¬ 
tion  we  are  being  asked  a  lot  these  days. 
For  many  companies,  they  will  get  along 
just  fine  with  their  existing  systems.  For 
others,  the  added  features  will  be  compel¬ 
ling  but  the  migration  path  is  unproven. 
For  those  without  an  existing  ILM  solu¬ 
tion,  the  new  release  will  certainly  make 
identity  and  access  management  more  ac¬ 
cessible  to  small-  and  mid-market  clients. 


FOR  MORE  INFORMATION: 

Visit  www.oxfordcomputergroup.com. 


(OXFORD 

COMPUTER 

IgroupI 


CSO 

Custom  Solutions  Group 


>>  BRIEFING 


AIRPORT  SECURITY 

IT’S  IN  THE  BAG 


Airport  checkpoints  have  been  a  choke  point 
for  travelers  with  laptops.  That’s  about  to 
change,  thanks  to  newly  redesigned  bags. 


New  “checkpoint  friendly"  bags  due  out  this  fall  should  be  the  hottest 
thing  in  mobile  since  the  iPhone.  These  bags  can  go  through  x-ray 
machines  with  the  laptop  still  in  them.  That’s  thanks  to  a  March 
move  by  the  Transportation  Security  Administration,  which  sent  an 
RFl  (request  for  information)  to  manufacturers,  asking  them  to  come  up 
with  bags  that  would  let  airport  screeners  see  the  laptop  in  one  viewing. 

If  they  did,  it  would  stop  forcing  travelers  to  go  through  the  tedious  and 
potentially  damaging  exercise  of  removing  their  laptops  from  their  cases. 

TSA  said  it  wanted  to  update  travel  satchels  to  decrease  passenger 
stress  levels,  speed  checkpoints  and  lower  the  number  of  claims  for  dam¬ 
aged  laptops. 

The  issue  with  bags  in  the  past  has  been  that  it  was  hard  for  security 
agents  to  see  the  laptop,  because  of  all  the  other  things  that  would  get 
crammed  in  and  around  them,  like  mice,  power  cords  and  so  on.  Pockets 
with  snaps  or  zippers  could  also  affect  the  image. 

More  than  40  luggage  makers  responded  by  developing 
prototype  bags  that  were  sent  for  testing  at  three  airports. 

TSA  has  found  that  a  number  of  these  work  (backpack 
designs  tend  not  to,  though  there’s  at  least  one  bag 
maker,  Targus,  that  should  have  one). 

There  are  some  designs  currently  on  the  mar¬ 
ket,  like  laptop  sleeves,  that  also  should  work. 

But  most  travelers  will  need  to  shop  for  new 
bags,  expected  to  be  widely  available  this  fall. 

And  the  cool  security  technology  to  make 
this  all  possible:  pockets. 

Well,  more  or  less.  TSA  suggested  three 
designs,  all  of  which  feature  ways  to  let 
the  laptop  be  easily  accessible  without 
being  removed  from  the  bag,  such 
as  a  bag  that  could  be  unzipped  to 
open  completely  and  make  the 
laptop  visible,  or  a  bag  made  of 
different  compartments,  one 
exclusively  for  the  laptop. 

Several  of  the  designs  that 
passed  the  x-ray  test  feature 
trays,  though  at  least  one  of 
TSA’s  suggested  designs  was 
also  implemented. 

TSA  notes  that  even  checkpoint-friendly  bags  aren’t  guaranteed  to 
work.  Travelers,  for  instance,  will  still  need  to  take  care  to  make  sure  that 
metal  snaps  or  zippers  are  not  in  the  laptop-only  section.  If  the  screener 
can’t  see  the  laptop  properly,  it’s  back  to  the  old  process. 

Could  checkpoint-friendly  shoes  be  next?  A  TSA  spokeswoman 
stamped  on  that  one,  saying  shoe  removal  will  remain  mandatory. 

-Michael  Fitzgerald 


Laptop  Bag 
Requirements 


COLLECTIVE  FEEDBACK  “WHAT  NOT  TO  DO” 


As  specified  in  the  RFl,  there  should  be  no  straps,  pockets, 
zippers,  handles  or  closures  that  interfere  with  the  image  of 
the  laptop.  To  reiterate  (given  these  elements  were  seen  in 
prototypes): 

■  No  metal  snaps,  zippers  underneath  or  on  top  of  where  the 
laptop  would  be  X-rayed; 

■  Plastic  elements  work  much  better  than  anything  metal; 
and 

■  No  pockets  either  underneath  or  on  top  of  where  the 
laptop  would  be  X-rayed. 

■  Thick  dividers  in  bags  do  not  work  to  produce  a  clear  image. 
TSA  is  interested  in  the  quality  of  the  X-ray  image.  If  the 
bag  presents  a  clear  image,  TSOs  will  allow  the  laptop  to 
remain  in  the  bag  and  secondary  screening  will  not  be 
necessary  UNLESS  another  portion  of  the  bag  has  alarmed. 

■  Emblems  or  seals  that  are  thick  and  placed  on  top  of  where 
the  x-ray  image  would  be  taken  do  not  allow  for  a  clear 
image. 


OVERARCHING  GUIDANCE 


Passenger  Behavior:  A  bag  that  is  produced  by  the 
manufacturer  and  presents  a  clear  image  during 
testing  does  not  automatically  mean  that  the 
same  bag,  when  used  by  a  passenger,  will  not 
alarm.  Why?  if  there  is  room  in  the  laptop 
compartment  to  store  other  items,  such  as  a 
power  cord,  a  passenger  may  choose  to  do 
so.  Designs  must  guide  passenger  behavior 
or  passengers  must  be  notified  by  the 
manufacturer  on  how  to  use  the  bag  in  the 
way  it  was  intended. 

Durability:  A  bin  protects  a  laptop 
from  other  articles  bumping  up 
against  it  at  both  the  front  and 
back  ends  of  the  x-ray.  Since 
the  bags  will  go  directly  on 
the  conveyor  belt  and  not 
in  a  bin,  the  bag  design 
should  provide  an  equal 
level  of  protection  if 
customers’  laptops  are  to 
remain  unharmed  during 
screening. 

Accessibility:  If  the  bag 

alarms,  the  TSO  should  be  able  to  have 
easy  access  to  the  laptop  computer  for 
secondary  screening.  If  bags  are  designed 
in  such  a  way  that  it  takes  a  TSO  a  long  time  to 
figure  out  how  to  remove  the  laptop,  the  passenger  wait  time 
has  just  increased  significantly,  thus  defeating  the  purpose  of 
the  bag  completely. 

Recognizability:  TSOs  currently  instruct  passengers  to 
remove  all  laptops  from  bags.  This  will  continue  except  in 
instances  where  passengers  have  a  bag  that  is  designed  to 
allow  for  a  clear  X-ray  image.  Designs  should  be  distinguish¬ 
able  from  other  standard  laptop  cases. 


18  www.csoonline.com  September  2008 


Photo  by  Corbis 


What  would  you  pa 
for  this  USB  stick? 


Some  would  pay 

BILLIONS 


Everyday  you  read  about  some  company’s  intellectual  property  stored  on  a  portable  storage  device 
that  is  either  lost  or  stolen.  With  Lumension’s  Data  Protection  Solution  you  know  who  is  accessing  your 
company’s  data  and  with  what  devices.  Don’t  wait  to  find  out  how  much  someone  would  pay  for  your 

information.  Get  Proactive.  Get  Lumension. 

Learn  more  about  data  protection  misconceptions  and  how  Lumension  Security’s 
Data  Protection  Solution  can  protect  your  data  by  downloading  the  whitepaper  at 
www.lumension.com/security-tip-22  or  for  a  FREE  30  DAY  TRIAL  call  us  at  1.888.970.1025 


Vulnerability  Management  /  Endpoint  Security  /  Data  Protection  /  Compliance 


Lumension 

SECURITY,. 


15880  N.  Greenway-Hayden  Loop,  Suite  100  /  Scottsdale,  A Z  85260  /  1.888.970.1025  /  www.iumension.com 
©  Copyright  2008,  Lumension  Security™,  Inc.  All  Rights  Reserved. 


TOOLS,  TECHNOLOGIES  AND  TACTICS 

By  Mary  Brandel 


Role  management  can  help  automate  permissions  and 
workflows.  Here’s  practical  advice  on  doing  it  well. 


Role-Playing 


Role  management  software 
enables  the  creation  and  life- 
cycle  management  of  enter¬ 
prise  job  roles,  according  to 
Forrester  Research.  It  does 
this  by  discovering  and  logically  grouping 
application-level,  fine-grained  authoriza¬ 
tions  and  entitlements  into  enterprise  job 
roles,  which  can  then  be  assigned  to  people 
by  rule-based  provisioning  or  request- 
approval  workflows. 

In  its  2007  survey  of  35  organizations, 
Burton  Group  found  that  the  number  of 
role  management  initiatives  has  grown 
significantly  since  2003,  especially  in  the 
financial  services  industry.  The  top  busi¬ 
ness  drivers  include: 

■  Administrative  efficiencies  for  access 
management 

■  Ease  of  audit  and  compliance 
■  Improved  security  controls  for  access 
and  authorization 

The  payoff?  In  return  for  your  efforts, 
expect  the  following  benefits: 

«  Simplified  number  of  managed  entities 
■  Improved  visibility  into  available 
resources 

■  Better  enforcement  of  policy 
■  Improved  relationship  of  IT  with  the 
business 

All  of  this  comes  at  a  price,  of  course. 
Burton  Group  warns  that  role  manage¬ 
ment  requires  a  significant  investment  in 
up-front  effort.  In  its  survey,  it  found  the 

20  www.csoonline.com  September  2008 


average  annual  budget  for  these  efforts 
was  about  $1.2  million.  Project  funding 
was  widely  variable,  says  Kevin  Kampman, 
senior  analyst  at  Burton,  and  was  some¬ 
times  embedded  in  other  initiatives  such  as 
ERP  or  identity  management  implementa¬ 
tions,  with  investments  ranging  from  noth¬ 
ing  (in  one  case)  to  between  $10  and  $1,000 
per  user. 


Small  and  midsize  businesses  can  plan 
to  implement  role  mining  and  design  proj¬ 
ects  for  $300,000  to  $500,000,  while  large, 
complex  organizations  will  face  $500,000 
to  $1  million  price  tags,  according  to 
Forrester. 

The  Burton  Group  says  major  chal¬ 
lenges  for  these  projects  include: 

■  Establishing  the  relationship  of  roles  to 

Illustration  by  Colin  Johnson 


The  next  attack 
can  come  from 
anywhere. 


■xt 


C\l 


Fortunately, 
that’s  where 


we’re  looking. 


Vigilance  requires  resources.  But  outsourcing 
security  should  do  more  than  lower  your 
costs.  It  should  lower  your  risk. 


Secure  f^rks 


Sec u reworks  does  just  that.  Our  industry¬ 
leading  counter- threat  unit,  round  -the-clock 
analysts,  and  state-of-the-art  threat  correlation 
platform  let  us  go  beyond  satisfying  your 
compliance  requirements  —  we  safeguard 
your  reputation. 

www.secureworks.com 


:'£m 

% 

• c  ;;tth 

■.  'r\9N  - 


Mr 


©2007  SecureWorks,  all  rights  reserved.  SecureWorks  and  the 
SecureWorks  logo  are  registered  trademarks  of  SecureWorks. 


y\i  •• .  v 


>>  TOOLBOX 


The  key,  Harkola  says,  is  working  with 
management  to  create  a  template 

that  accommodates  the  majority  of  people 
without  a  lot  of  exceptions. 


business  and  administrative  processes 

■  Setting  guidelines  for  defining  and 
establishing  roles 

■  Determining  who  should  participate 
and  in  what  capacity 

■  Determining  how  to  maintain  roles 
over  time 

■  Associating  roles  with  resources 

■  Determining  how  to  associate  business 
process  and  policy  with  roles 

In  Burton  Group’s  survey,  nearly  70  per¬ 
cent  of  participants  indicated  this  was  their 
first  attempt  at  a  role  management  imple¬ 
mentation,  while  the  rest  had  attempted 
a  previous  initiative.  Of  that  population, 
40  percent  were  successful  and  60  per¬ 
cent  were  unsuccessful.  The  reasons  for 
failure  were  consistent,  Kampman  says, 
including: 

■  An  exclusively  technical  focus 

■  Little  or  no  business  sponsorship  and 
participation 

■  Lack  of  an  overall  organizational 
strategy,  methodology  and  deployment 
approach 

Key  differentiators  of  existing  systems, 
according  to  Forrester,  include  integration 
with  leading  ERP  systems’  role  structures 
(SAP,  Oracle),  management  of  version¬ 
ing  and  temporality  of  roles  and  integra¬ 
tion  with  provisioning  and  identity  audit 
products. 

Do’s  and  Don’ts 

DON’T  select  a  tool  until  you’ve  defined 
your  process.  Implementers  warn  that  the 
system  should  support  the  role  manage¬ 
ment  process,  not  the  other  way  around. 
That  was  clear  to  Martin  Kruit,  a  vice 
president  at  ABN  Amro,  who  knew  that 
the  wholesale  business  unit  in  which 
he  worked  needed  to  improve  the  way 
it  handled  access  management.  At  the 
time,  access  requests  were  sent  to  which¬ 
ever  administrator  had  implemented  the 
application.  Essentially,  Kruit  says,  “If  you 
needed  something  you  could  get  it.  There 
was  no  rationale  behind  it.” 

So,  in  2004,  Kruit  and  his  team  worked 
to  create  a  centralized  system  that  not  only 
streamlined  the  process  but  also  met  the 
needs  of  internal  auditors  to  prove  employ¬ 
ees  had  access  only  to  needed  resources. 

The  team  worked,  department  by 
department,  to  define  roles  and  determine 
what  access  people  in  those  roles  required. 


It  manually  cleaned  up  the  system,  includ¬ 
ing  ridding  it  of  “orphaned”  accounts  of  ex¬ 
employees.  At  the  time,  Kruit  says,  there 
was  nothing  available  to  automate  this 
process  so  his  team  used  spreadsheets  to 
record  roles  and  related  access  needs,  but 
this  eventually  grew  unwieldy.  By  2005, 
Kruit  and  his  team  began  looking  for  a  role 
management  tool  and  decided  on  BHOLD. 

Now,  when  an  access  request  comes  in, 
the  system  reconciles  it  against  the  request¬ 
or’s  role  profile  and  sends  an  e-mail  to  an 
offshore  administrator  in  India  to  provide 
access.  ABN  Amro  does  not  do  automated 
provisioning  because  it  would  be  too  costly 
to  create  the  customized  interfaces  with  the 
company’s  legacy  systems,  Kruit  says.  “We 
looked  for  software  that  fit  our  philosophy 
of  having  a  strong  process  first  and  then 
the  automation,”  he  says.  “The  system  had 
to  grow  with  us,  and  not  all  companies 
did  that— they  just  want  to  sell  you  a  total 
solution.” 

Similarly,  Energy  East  spent  six  months 
redesigning  its  process  before  “throwing 
software  at  it,”  says  Steven  Harkola,  direc¬ 
tor  of  support  services  at  the  diversified 
energy  delivery  provider.  His  team  trained 
40  team  members  in  ITIL  foundations  and 
worked  with  a  consultancy  to  form  a  project 
management  office,  eventually  deciding  to 
integrate  access  management  with  incident 
and  asset  management  processes  to  create 
a  Web-based  shopping-cart-like  front  end 
to  the  system. 

In  fact,  when  Energy  East  decided  on 
Courion  as  a  vendor,  Harkola  says,  a  major 
factor  was  the  vendor’s  willingness  to  per¬ 
form  the  integration  work  necessary  to 
connect  the  systems  together  and  create  a 
workflow  system. 

DO  take  a  combined  top-down,  bottom- 
up  approach.  According  to  Kampman,  role 
management  typically  combines  a  top- 
down  (or  business  responsibility-driven) 
perspective,  and  a  bottom-up  (or  system 
resource-oriented)  approach.  Top-down 
reflects  the  needs  of  the  business,  while 
bottom-up  reflects  the  application  privi¬ 


leges  and  permission  sets  to  satisfy  those 
business  responsibilities. 

Harkola  says  it’s  the  bottom-up  that’s 
really  time  consuming  because  it  requires 
developers  to  delve  into  the  target  applica¬ 
tions  and  pull  out  the  entitlement  database 
to  see  what  everyone  has  access  to.  The 
role  templates  were  much  easier  to  create, 
he  says,  thanks  to  Courion’s  Role  Courier, 
which  analyzes  the  entitlement  data  and 
quickly  builds  roles,  which  clients  then 
verify  as  accurate. 

Craig  Shumard,  CISO  at  Cigna,  says  its 
tool,  Aveksa,  can  automate  the  bottom-up 
process.  Before  purchasing  Aveksa,  he  says, 
his  team  worked  manually  to  create  roles 
based  on  business  responsibilities,  as  well 
as  the  entitlements  each  role  should  have. 
However,  Aveksa  was  able  to  go  into  the 
applications  and  provide  a  “book  of  record,” 
he  says,  or  an  as-is  state  of  the  access  peo¬ 
ple  in  those  roles  actually  had.  This,  he 
says,  exposed  all  the  company’s  “sins  of  the 
past”  and  allowed  them  to  clean  up  access 
privileges. 

DO  create  links  between  IT  roles  and 
business  roles.  It’s  important  to,  as  Craig 
Cooper,  senior  project  manager  at  Thrivent 
Financial  for  Lutherans,  puts  it,  “connect 
the  dots”  for  the  business  between  access 
entitlements  and  business  definitions. 
That’s  why  his  team  mapped  each  entitle¬ 
ment  with  a  business  definition.  That  way, 
a  business  person  could  ask  simply  to,  say, 
update  a  customer  record,  without  having 
to  specify  the  dozens  of  access  requests 
they’d  need  to  perform  that  operation.  “It 
puts  it  into  a  business  context,”  he  says. 

DO  go  beyond  access  control  when  com¬ 
municating  business  benefits.  Kampman 
says  because  role  management  ensures  that 
authority,  responsibilities,  resources  and 
communications  channels  are  aligned  to 
meet  business  objectives,  it  can  have  great 
appeal  to  C-level  execs  who  need  this  kind 
of  visibility  to  achieve  a  more  effective  and 
efficient  organization. 

For  Energy  East,  Harkola  says,  commu¬ 
nicating  business  benefits  meant  ensuring 


22  www.csoonline.com  September  2008 


Capabilities  of 
Full-Fledged  Role 
Management  Systems 

Today’s  role  management  solutions 
include  several  or  all  of  the  following 
capabilities,  according  to  Burton 
Group  analyst  Kevin  Kampman 

Role  mining  and  discovery:  The  ability  to  collect  user  access  and 
authorization  information  from  a  variety  of  resources,  associate  this 
data  with  candidate  roles  and  responsibilities,  propose  alternative 
roles  and  leverage  decisions  made  about  the  data  on  an  ongoing 
basis. 

Organization  and  business  role  modeling:  As  business  roles 
are  developed,  they  may  need  to  be  associated  with  organizational 
characteristics,  especially  reporting  and  working  relationships. 

Business  role  management:  From  the  business  perspective, 
roles  are  viewed  as  a  set  of  responsibilities  performed  in  conjunc¬ 
tion  with  a  position  in  the  organization.  The  system  should  be  able  to 
define,  maintain  and  examine  existing  roles  to  determine  if  they  can 
be  repurposed. 

IT  role  modeling:  From  the  perspective  of  access  management 
and  authorization,  resources  should  be  managed  at  as  general  a 
level  as  possible.  This  requires  the  association  of  users  or  business 
roles  to  specific  privileges  or  permission  sets,  which  the  tool  should 
enable.  The  tool  should  also  enable  business  and  IT  roles  to  be 
mapped  to  one  another. 

IT  role  management:  Similar  to  business  roles,  IT  roles  need  an 
administrative  mechanism  to  define,  maintain  and  search  roles. 

Role  reconciliation:  The  solution  should  provide  a  way  to 
identify  who  is  assigned  to  one  or  several  roles,  when  and  how  the 
assignment  was  made,  and  when  it  should  be  reviewed.  A  similar 
capability  should  be  provided  for  IT  roles. 


Policy  definition  and  management:  Roles  are  frequently 
associated  with  policies,  particularly  from  a  separation  of  duties 
perspective.  That  is,  someone  acting  in  one  role  may  need  to  be 
prevented  from  acting  in  another  role  at  the  same  time,  in  a  serial 
manner,  under  the  direction  of  someone  in  a  particular  role  or  under 
some  other  condition.  The  system  should  provide  for  the  defini¬ 
tion  and  management,  if  not  the  discovery  of  policy,  as  well  as  the 
association  of  policies  to  roles. 

Role  and  policy  publication:  The  system  may  become  the 
authoritative  source  for  publishing  role  and  policy  information. 

Role  integration  with  identity,  policy,  workflow  and 
authorization  solutions:  Interfaces  may  be  provided  directly,  or 
the  developer  may  leverage  connectors  or  agents  provided  by  the 
application  in  question. 

Attestation  and  compliance  collection  and  reporting:  The 

system  should  enable  responsible  parties  to  periodically  verify  that 
roles  are  still  effective  and  in  compliance. 

Activity  monitoring  and  correlation:  The  system  should 
enable  monitoring  of  user  interaction  with  resources  to  provide 
information  for  the  development  of  roles.  This  also  provides  visibil¬ 
ity  into  normal  and  abnormal  usage. 

Temporal  modeling  and  state  management:  The  system 
should  keep  track  of  who  held  a  particular  role  at  a  particular  time, 
as  well  as  some  characteristics  of  that  assignment,  for  example, 
who  assigned  them  to  that  role.  The  solution  should  also  enable 
modeling  and  prediction  of  the  consequence  of  changes  in  the  role 
infrastructure  and  principal  assignments. 

Conformance  with  the  ANSI  INCITS  359-2004  Role-Based 
Access  Control  (RBAC)  standard:  This  standard  describes  the  rela¬ 
tionship  of  users  to  roles,  roles  to  other  roles,  and  roles  to  resources 
in  a  privilege-management  system.  It  also  describes  how  to  estab¬ 
lish  static  and  dynamic  separation  of  duties.  Note:  Conformance  is 
difficult  to  ascertain,  as  there  is  no  profile  or  testing  to  verify  that  a 
solution  truly  supports  the  standard. 


the  new  processes  his  group  created  pro¬ 
vided  value-add  from  a  service  perspective. 
“You  have  to  think  of  role  management  in  a 
broader  context,  not  just,  ‘I  want  to  solve 
role  management,’”  he  says. 

At  ABN  Amro,  Kruit  says,  selling  role 
management  meant  not  only  emphasizing 
a  speedier  access  request  process  but  also 
a  safety  net  against  the  types  of  data  access 
scandals  that  afflicted  organizations  in  the 
past  year.  “We  had  to  make  the  case,”  he 
says. 

Meanwhile,  Cooper  sees  role  man¬ 
agement  as  an  integral  part  of  enhancing 
Thrivent’s  trusted  reputation  with  custom¬ 
ers.  “We  want  to  be  able  to  demonstrate 
that  we  have  the  controls  in  place  related  to 
access,  and  this  process  has  allowed  us  to 
do  that,”  he  says. 

DO  look  for  a  tool  that  mirrors  your 
organizational  approach.  It’s  important  to 
ensure  that  the  tool  you  choose  is  consistent 


with  your  organization’s  approach  to  struc¬ 
turing  roles.  For  instance,  when  Cooper 
chose  Vaau  (before  it  was  acquired  by  Sun), 
he  felt  it  provided  the  flexibility  he  needed 
to  provide  not  just  primary  roles  but  also 
sub-roles  and  out-of-role  requests  for  tem¬ 
porary  projects. 

DON’T  underestimate  the  time  com¬ 
mitment.  Implementers  agree  that  role 
management  is  a  multiyear  effort.  Having 
started  in  December  2007,  Energy  East  pre¬ 
dicts  it  will  have  role  templates  in  place  for 
more  than  40  percent  of  its  6,000  employ¬ 
ees  by  the  end  of  this  year.  Harkola  expects 
things  to  speed  up  with  the  implementation 
of  Courion’s  Role  Courier. 

Cooper  says  he’s  spent  almost  his  entire 
career  at  Thrivent  on  role  management, 
with  the  effort  starting  in  2006.  By  the  end 
of  this  year,  he  expects  to  have  roles  created 
across  the  majority  of  the  organization,  and 
20  percent  of  the  company’s  application 


portfolio  will  be  integrated  into  the  system. 
The  most  time-consuming  piece,  according 
to  Cooper,  is  the  communication,  analysis 
and  research  required  to  get  businesspeo¬ 
ple  on  board  and  ensure  your  initial  design 
is  correct.  The  good  news,  he  says,  is  that 
the  learning  curve  drops  off,  and  you  can 
leverage  process  improvements  and  reuse 
definitions.  While  it  took  12  weeks  to  set  up 
roles  for  Thrivent’s  first  business  unit,  the 
team  is  now  completing  units  in  six  weeks. 

But  all  in  all,  “the  work  effort  is  prob¬ 
ably  more  than  you  anticipate,  and  you 
need  to  have  a  dedicated  team,”  Shumard 
warns.  Particularly  thorny  areas  for  Cigna 
included  workflow,  communication  and 
getting  role  managers  involved. 

DO  manage  scope.  Shumard  says  it’s 
important  to  create  a  road  map  to  best 
understand  your  goals,  pain  points  and 
what  you  want  to  address  first.  And  because 
of  the  time  and  cost  involved,  companies 


September  2008  www.csoonline.com  23 


>>  TOOLBOX 


like  Thrivent  have  honed  the  number  of 
applications  it  will  include  in  its  role  man¬ 
agement  system,  choosing  to  focus  first  on 
its  financially  significant  privacy  applica¬ 
tions,  which  make  up  10  percent  of  its  port¬ 
folio.  “In  a  lot  of  our  applications,  less  than 
a  dozen  people  have  access,”  Cooper  says. 
“In  cases  like  that,  it  doesn’t  make  sense  to 
apply  $15,000  or  $50,000  to  integrate  that 
application  with  the  system.” 

DO  consider  getting  a  quick  start  with 
role  mining.  Role  mining  is  becoming  more 
common  in  full-featured  role  management 
systems.  It’s  a  feature  that  looks  for  estab¬ 
lished  patterns,  which  users  then  interpret 
to  define  roles,  eliminating  25  percent  to  40 
percent  of  the  legwork  that  used  to  exist, 
according  to  Perry  Carpenter,  an  analyst  at 
Gartner.  In  this  way,  it  can  be  used  to  show 
value  quickly.  Software  provider  Eurekify  is 
well-known  for  its  role-mining  capabilities, 
and  built  its  system  on  top  of  an  analytic 
engine,  but  even  companies  that  came  into 
the  market  from  an  audit  or  compliance 
background  are  doing  role  mining  now. 

At  the  same  time,  role  mining  is  no 
magic  pill,  Cooper  warns.  When  he  was 
evaluating  vendors,  for  instance,  it  was 
clear  through  a  proof  of  concept  that  Vaau’s 
approach  worked  well  for  Thrivent;  how¬ 
ever,  he  says,  some  approaches  are  more 
effective  than  others.  “Some  might  take 
hours  to  process,  while  others  take  min¬ 
utes,”  he  says.  “It  depends  on  the  numbers 
they  need  to  crunch.” 

DON’T  create  too  many  roles.  It’s 
important  to  keep  the  number  of  roles  you 
create  down  to  keep  your  management  bur¬ 
den  low.  “It’s  a  lot  easier  to  manage  1,000 
roles  than  5,000  or  7,000  individual  access 
profiles,”  Cooper  agrees.  It’s  good  practice 
to  use  an  80/20  rule,  he  says,  where  you 
assign  groups  of  users  a  base  set  of  access 
and  then  use  auxiliary  roles  and  excep¬ 
tions  to  cover  additional  access  needs. 
Companies  use  different  rules  of  thumb  to 
determine  how  many  roles  to  create.  Some 
say  you  should  have  one  role  for  every  10 
people,  Cooper  says,  while  “role  prolifera¬ 
tion”  is  considered  to  be  one  role  for  every 
three  to  five  people.  Thrivent  aims  for  one 
role  per  12  to  18  employees. 

The  key,  Harkola  says,  is  working  with 
management  to  create  a  template  that  accom¬ 
modates  the  majority  of  people  without  a  lot 
of  exceptions.  He  expects  to  have  about  200 


who’s  who? 

The  role  management  software  vendor 
community  is  relatively  young,  and  as 
such,  there  is  no  clear  market  leader. 
Vendors  can  be  categorized  into  two 
groups:  general  purpose  solutions  and 
embedded  solutions. 

General-purpose  solutions  offer  a 
distinct,  stand-alone  solution  for  collect¬ 
ing,  organizing,  modeling  and  maintaining 
roles,  as  well  as  disseminating  role  defini¬ 
tions  to  users  or  applications  that  can 
leverage  them.  General-purpose  solutions 
providers  include: 

■  Eurekify.  Oldest  provider  in  the 
market,  followed  by  Bridgestream 
and  Vaau.  Well-known  for  its  analytics 
technology  to  perform  bottom-up 
discovery  and  design. 

■  BHOLD.  Privately  held  firm  based  in 
the  Netherlands.  Original  strengths 
were  in  access  and  authorization  man¬ 
agement  but  has  broadened  to  include 
resource  provisioning. 

■  Engiweb.  Relatively  recent  market 
participant,  best  known  in  southern 
Europe.  Its  identity  management  sys¬ 
tem  sees  roles  as  an  integral  element 
of  the  equation,  not  as  an  option. 

■  Omada.  Entered  the  market  in  2006, 
with  headquarters  in  Denmark.  Based 
on  Microsoft  technologies  and  closely 
coupled  with  SAP. 

■  Bridgestream  (acquired  by  Oracle). 

Headquartered  in  San  Francisco,  this 


roles  defined  for  6,000  employees. 

DO  look  for  reporting  capabilities  and  a 
strong  certification  process.  Available  sys¬ 
tems  differ  in  the  way  they  provide  report¬ 
ing  capabilities.  Cooper  likes  how  Sun 
provides  a  centralized  database  for  report¬ 
ing.  “If  I  need  to  know  who  has  access  to 
what,  I  just  run  a  report,  and  it  gives  a  list 
of  systems,  the  roles  the  employee  belongs 
to  and  the  exceptions  outside  the  role  you 
have,”  he  says.  “It’s  a  one-stop-shop  report 
that  you  can  run  that  can  certify  that  your 
people  have  access  to  the  right  things.” 

The  tool’s  certification  process  can  also 
significantly  ease  the  job  of  sharing  role 
information  with  business  managers  and 
gives  them  the  responsibility  of  certify¬ 
ing  roles  to  auditors.  Shumard  says  his 
company  moved  from  a  highly  manual, 
error-prone,  spreadsheet-based  process  to 


system's  original  strengths  were  in 
human  resources  and  organizational 
design,  but  it  has  grown  to  envelop 
the  relationship  of  roles  to  privileges. 

This  gives  it  a  strong  foundation  to 
balance  between  business  objectives 
and  responsibilities,  privileges  and 
resources. 

■  Vaau  (acquired  by  Sun).  Based  in 
Los  Angeles,  this  system  is  well-known 
for  its  compliance  capabilities  but  has 
strengthened  its  role  engineering  and 
role  management  capabilities. 

■  Aveksa.  Massachusetts-based  firm 
that  specializes  in  solutions  for  identity 
auditing;  role  and  entitlement  certifi¬ 
cation  and  monitoring;  and  manage¬ 
ment  of  the  role  and  access  lifecycle. 

■  SailPoint.  Texas-based  provider 
whose  solution  is  geared  toward 
identity  governance,  risk  management 
and  compliance. 

Embedded  solutions-role  manage¬ 
ment  systems-are  provided  as  part  of  an 
identity  management  application.  Many  of 
these  vendors  form  strong  partnerships 
with  (or  acquire)  a  general-purpose  pro¬ 
vider,  or  they  work  to  augment  their  own 
role  management  capabilities.  Vendors 
include  Avatier,  Beta  Systems  Software, 

BMC  Software,  Computer  Associates, 

Courion,  IBM,  MaXware  (now  a  unit  of  SAP), 
Novell,  Siemens  and  Volcker  Informatik. 

Source:  Burton  Group 

a  “very  slick”  process  that  business  users 
easily  adopted,  thanks  to  Aveksa. 

DON’T  assume  you  need  a  suite  to 
integrate  role  management  with  your 
provisioning  system.  Carpenter  stresses 
the  need  to  look  at  the  system’s  ability  to 
integrate  tightly  with  any  user  provision¬ 
ing  system  you  have  in  place,  whether  it’s 
a  stand-alone  product  that  exports  a  feed 
or  one  that’s  part  of  a  suite.  Thrivent  took  a 
best-of-breed  versus  suite  approach  when 
it  selected  Vaau  for  role  management  and 
Oracle  for  user  provisioning.  “We  knew 
there  was  a  risk  of  Vaau  being  purchased, 
but  they  assured  us  they  would  maintain 
integration  with  Oracle,”  he  says.  ■ 

Mary  Brandel  is  a  freelance  writer.  Send 
feedback  to  Editor  Derek  Slater  at  dslater@ 
cxo.com. 


24  www.csoonline.com  September  2008 


Not  Sure?  Let  Reconnex  Help. 

Reconnex  is  positioned  in  the  Leader’s  Quadrant  of  Gartner,  Inc's 
Content  Monitoring  and  Filtering  and  Data  Loss  Prevention 
Magic  Quadrant1  and  named  a  leader  in  the  Forrester  Wave™: 
Data  Leak  Prevention  Q2  2008  Report.  Customers  appreciate 
our  unique  ability  to  help  them  understand  their  sensitive  data. 
Over  one  million  users  trust  us  to  protect  their  information  today. 


!i!  Reconnex 


DATA  LOSS  PREVENTION  APPLIANCES 


WHY  RECONNEX? 

SIMPLE.  Automatic  Rule  Creation 
FAST.  Turnkey  Appliance  Solution 
COMPLETE.  Full  Functionality.  No  Compromises. 


TAKE  THE  FIRST  STEP. 

Get  a  complimentary*  Risk  Assessment  from  Reconnex. 
Find  out  more  at  www.reconnex.net/LEADER 

•QUALIFICATIONS  APPLY. 


'From  Gartner,  Inc.  ‘Content  Monitoring  and  Filtering  and  Data  Loss  Prevention  Magic  Quadrant"  report  try  Eric  Ouellet  and  Pad  Proctor,  published  on  June  17. 2008.  lire  Gartner  Magic  Quadrant  Is  copyrighted  by  Gartner.  Inc.,  and  Is  reused  with  permission.  lire  Magic  Quadrant  Is  a  graphical  representation  of  a  marketplace  at  and 
fat  a  specific  time  period  It  depicts  Gartner's  analysis  ol  how  certain  vendors  measure  against  criteria  for  that  marketplace,  as  defined  by  Gartner.  Gartner  does  not  endorse  any  vendor,  product  or  service  depicted  in  the  Magic  Quadrant,  and  does  not  advise  technology  users  to  select  only  those  vendors  placed  In  the  'Leaders' 
quadrant  Die  Magic  Quadrant  Is  Intended  solely  as  a  research  tool,  and  Is  nol  meant  to  be  a  specific  guide  to  action.  Gartner  disclaims  all  warranties,  express  or  Implied,  with  respect  to  this  research,  Including  any  warranties  of  merchantability  or  fitness  lor  a  particular  purpose. 


There’s  no  such  thing  as  a  digital  investigation. 

Or  a  physical  one.  Searching  for  clues  and  resolutions 
requires  a  blend  of  disciplines  governed  by  a  flexible 

forensic  mind-set.  By  Malcolm  Wheatley 


NOT  LONG  AGO,  the  legal  department  at  a 
financial  services  company  in  New  York  got  a 
phone  call  from  a  hospital  in  London.  The  query: 
Why  are  you  hacking  us?  With  two  known  IP 
addresses,  it  wasn’t  difficult  for  the  financial 
firm’s  information  security  staff  to  go  back 
through  the  logs  looking  for  traffic  between  the 
two  organizations.  And  with  the  traffic  identi¬ 
fied,  locating  the  computer  from  which  the  hacks 
were  taking  place  didn’t  take  long,  either.  The 
culprit:  an  individual  who— as  their  human 


Photo-illustration  by  Steve  Traynor 


26  www.csoonline.com  September  2008 


COVER  STORY  I  INVESTIGATIONS 


resources  records  soon  confirmed— had  formerly  worked  at  that 
very  hospital.  I 

Ah,  the  good  old  days.  As  investigations  go,  says  Winn 
Schwartau,  founder  of  security  awareness  certification  com¬ 
pany  SCIPP  International  and  an  information  security  expert 
who  has  testified  before  Congress,  the  hospital  hack  was  an  _ 
increasingly  rare  example  of  a  fast-dying  breed:  a  pure  infosec 
forensic  investigation,  carried  out  digitally. 

Of  course,  apprehending  the  suspect  in  such  a  case,  or  seiz-  g 

ing  physical  evidence,  requires  a  whole  new  dimension.  And 
that’s  why  CSOs  and  CISOs  increasingly  report  that  purely 
“computer”  investigations,  like  the  hospital  hack,  are  a  thing  of 
the  past— as  are  purely  “physical”  investigations.  Pretty  much  g 
every  significant  investigation  these  days  now  includes  ele¬ 
ments  of  both,  whether  the  case  at  hand  requires  face-to-face 
interviews,  forensic  accounting,  e-mail  discovery  and  review, 
computer  and  network  forensics,  cell  phone  records,  video  - 
surveillance  analytics,  access-card  logs,  inventory  audits  or 
all  that  and  more.  So  in  such  an  environment,  how  can  CSOs 
and  CISOs  staff,  train  and  prepare  for  such  “blended”  forensic 
investigations  to  be  effective?  What  are  the  areas  to  concentrate 
on,  and  where  do  the  pitfalls  lie?  And  how,  in  short,  can  security 
navigate  this  blended  investigative  world? 

TOGETHER  IS  BETTER 

“No  matter  how  good  the  forensic  investigation  is  at  the  IT  level, 
there’s  always  going  to  be  a  physical  investigation— targeted 
interviews,  building- access  logs  and  so  on,”  says  Robert  Huff  a  g 

former  FBI  agent  and  now  managing  director  and  global  leader 
for  corporate  investigative  services  at  Aon  Consulting,  head¬ 
quartered  in  Chicago.  “Almost  always,  computer  forensics  need 
to  be  supplemented  by  physical  inquiries.”  _ 

Likewise  from  the  other  side  of  the  fence,  adds  Chris  Boyd, 
head  of  forensic  operations  at  Horley,  U.K. -based  Detica  Foren¬ 
sics,  and  a  former  police  specialist.  “The  physical  world  is  going 
digital,”  he  asserts.  “Access  logs  aren’t  sheets  of  paper,  but  digi¬ 
tal  records  and  even  CCTV  footage  are  moving  from  VHS  video 
tapes  to  hard  drives.  It  used  to  be  that  IT  forensics  supported 
the  physical  investigation— and  although  there’s  still  a  place  for  ■ 

both  types  of  investigation,  it’s  now  the  physical  investigation 
supporting  the  IT  one  in  many  cases.”  I 

And  in  this  dual  “blended”  world,  says  William  Pelgrin, 
director  of  the  New  York  state  office  of  cyber  security  and  criti-  - 
cal  infrastructure  coordination,  one  thing  is  clear:  The  era  of 
the  blended  investigation  is  not  without  its  advantages.  For  in 
reality,  he  points  out,  infosec  investigators  have  long  had  to  bear 
in  mind  that  there  might  be  a  physical  dimension  to  the  investi¬ 
gation  at  hand— and  likewise  physical  investigators. 

“Trying  to  look  at  things  one-dimensionally  tended  to  intro¬ 
duce  artificial  constraints,”  he  argues.  “It  was  always  a  smart  g 
move  to  ask  if  there  was  a  physical  component  to  a  cyberattack, 
and  vice  versa.  Yes,  there  are  pure  cyber  incidents,  and  there  « 
are  purely  physical  incidents— but  it’s  wrong  to  assume  that’s 
what  they  are  without  exploring  the  possibility  that  they  might  . 

not  be.  You  have  to  look  at  things  from  different  angles  to  get  the 
complete  picture.” 


And  the  importance  of  this  recognition,  he  stresses,  isn’t  just 
that  more  bad  guys  get  caught.  Instead,  it’s  that  with  the  need  to 
be  multidimensional  out  in  the  open,  investigations  can  appro¬ 
priately  “tool  up”  from  the  start. 

“In  today’s  world  of  investigations,  you  can’t  do— or  be— 
everything,  so  you  bring  in  the  skills  and  competencies  that  you 
need,  as  and  when  you  need  them,”  explains  Pelgrin. 

But  which  precise  skills  and  competencies?  During  the  first 
few  minutes  of  an  investigation  is  where  it’s  most  critical  to 
get  things  right,  and  it’s  here  that  appropriate  training  is  often 
required,  says  David  Brown,  managing  consultant  for  security 
advisory  services  at  Skokie,  Ill. -based  consultants  Forsythe 
Solutions  Group. 

“I’m  not  sure  you  could  take  any  i 
to  speed  in  forensics— Just  as 1 
and  turn  them  into  an  i 

“The  first  few  minutes  of  the  initial  reaction  tend  to  set  the 
stage  for  the  rest  of  the  investigation,  and  it’s  during  those  first 
few  minutes  that  it’s  vital  that  the  physical  guys  understand 
the  requirements  of  the  IT  team,  and  vice  versa,”  he  empha¬ 
sizes.  “There’s  a  balance  to  be  drawn  between  incident  miti¬ 
gation  and  preservation  of  evidence— and  that  balance  often 
depends  on  the  organization  in  question— but  each  team  needs 
to  know  which  actions  will  help  the  other  team,  and  which  will 
hinder  them.” 

On  a  related  point,  understanding  each  other’s  preferred 
modus  operandi  is  also  useful,  adds  Adrian  Davis,  a  London- 
based  senior  research  consultant  at  the  Information  Secu¬ 
rity  Forum,  a  not-for-profit  international  association  of  some 
300  leading  international  organizations.  “Physical  security 
people  tend  to  approach  investigations  in  a  particular  way, 
and  that  might  seem  strange  to  IT  people,”  warns  Davis.  “It’s 
important  they  understand  each  other’s  approaches,  so  that 
they  reinforce,  rather  than  conflict  [with],  the  other  party’s 
investigative  work.” 

Beyond  that,  it’s  also  sensible  for  each  team  to  understand 
the  other’s  strengths  and  weaknesses— and  how  those  charac¬ 
teristics  dovetail  with  their  own  team  traits.  “Theft,  for  example, 
is  something  that  the  physical  guys  usually  have  more  experi¬ 
ence  with— but  if  someone  is  using  a  computer  system  to  divert 
shipments,  then  you’ll  need  the  involvement  of  both  parties— 
and  the  physical  guys  need  to  know  when  to  step  back  and  call 
in  the  [digital]  experts.” 

And  sometimes,  of  course,  the  experts  in  question  will  be 
external  investigators  from  law  enforcement  agencies.  Rules 
and  procedures  vary  with  jurisdiction,  but  a  good  operating 
assumption  is  that  when  the  investigation  uncovers  the  fact 
that  a  crime  may  have  been  committed,  local  law  enforcement 
agencies  will  need  to  be  informed. 

At  which  point,  there’s  likely  to  be  the  need  to  call  the  human 
resources  department,  and  usually  the  legal  department  as  well. 

“The  ‘people’  component  of  an  investigation  is  always  the  most 


28  www.csoonline.com  September  2008 


difficult,”  warns  Schwartau.  “People  management  is  the  remit 
of  the  legal  and  human  resources  folk,  and  they  don’t  fold  well 
into  the  world  of  geeks  and  geekdom.”  Nevertheless,  he  stresses, 
employees’  rights  have  to  be  respected,  and  it’s  the  role  of  the 
human  resources  and  legal  people  to  see  that  they  are. 

The  bad  news,  he  says,  is  that  from  an  investigator’s  point 
of  view,  the  involvement  of  these  departments  can  be  seen  as 
a  hindrance,  potentially  leading  to  occasions  when  forensic 
teams  might  “forget”  to  call  them  in  promptly.  “They  show  up, 
and  say:  ‘You  can’t  do  this,  you  can’t  say  that  and  the  rules  won’t 
let  you  do  this’— it’s  a  pain,”  he  acknowledges.  “But  you  need 
them  involved  because  they  are  the  gatekeepers  to  the  wider 
legal  process.” 

investigator  and  get  them  up 
rou  can’t  take  any  IT  technician 
investigator.”  —Peter  Yapp 

In  short,  he  sums  up,  recognize  that  legal  and  human 
resources  people  are  going  to  show  up;  train  investigators  in 
what  they  will  be  looking  for  and  the  consequences  of  non- 
compliance— such  as  a  countersuit  from  an  employee  with 
a  grievance. 

THE  LAW’S  LONG  ARM 

Just  as  internal  investigators  from  the  cyber  and  physical  orga¬ 
nizations  need  to  understand  each  other’s  procedures  and  pref¬ 
erences,  the  same  holds  true  when  law  enforcement  agencies 
are  called  in. 

While  physical  security  people  tend  to  be  familiar  with  chain- 
of-custody  requirements,  IT  forensics  people  don’t  always  pay 
the  attention  they  should  to  this,  warns  Howard  Schmidt,  a 
former  CSO  for  Microsoft  and  eBay  with  a  background  in  law 
enforcement,  who  these  days  serves  on  the  board  of  (ISC)2. 

In  today’s  wired  world,  he  points  out,  locking  down  cor¬ 
porate  systems  until  the  law  shows  up  isn’t  usually  a  practical 
proposition.  The  result— internal  investigators  gathering  evi¬ 
dence  usually  while  they  fix  whatever  the  problem  is— calls  for 
schooling  in  evidence  gathering  and  preservation. 

“It’s  partly  about  specific  training  in  what  to  do  and  what 
not  to  do,  and  it’s  partly  about  building  a  sense  of  mutual  trust 
between  the  internal  investigators  and  external  law  enforce¬ 
ment  agencies,”  says  Schmidt.  “Physical  investigators  tend  to 
understand  this  better:  Now  the  IT  people  are  getting  trained, 
and  they  need  to  understand  that  an  image  of  a  file  dump  isn’t 
as  good  as  evidence  with  a  full  chain  of  custody.” 

New  York’s  Pelgrin,  for  example,  organizes  annual  train¬ 
ing  sessions  for  New  York’s  infosec  employees,  where  precisely 
such  topics  are  covered.  The  issue  isn’t  just  about  not  impeding 
the  investigation,  or  inadvertently  destroying  potentially  valu¬ 
able  evidence,  he  stresses;  it’s  also  about  promulgating  clear-cut 
guidelines  for  establishing  the  chain  of  custody. 

“When  you  take  possession  of  a  machine,  or  possession  of 
a  hard-drive  image,  which  could  then  go  on  to  feature  on  a  dis¬ 


ciplinary  or  court  case,  it’s  important  to  be  able  to  prove  in  a 
tribunal  or  a  court  just  who  has  had  control  since  that  pos¬ 
session  was  taken,”  he  says.  “Evidence  must  be  presented 
in  its  original  state,  and  with  proof  that  tampering  has  not 
been  possible.” 

But  in  the  era  of  the  blended  investigation,  and  with  physi¬ 
cal  and  IT  forensic  investigators  working  more  closely  together, 
is  there  actually  a  need  anymore  to  differentiate  between  the 
two  skill  sets?  In  short,  does  the  era  of  the  blended  investigation 
bring  forth  the  blended  investigator? 

The  jury,  it  seems,  is  out.  “Do  you  take  people  with  a  strong 
investigative  background,  and  train  them  in  computer  foren¬ 
sics— or  take  people  who  have  strengths  in  computer  forensics, 
and  try  to  train  them  in  investigative  skills?”  asks  Amit  Gavish, 
managing  director  of  corporate  intelligence  at  Shelton,  Conn.- 
headquartered  security  consultants  SSC.  “It’s  something  we 
wrestle  with  all  the  time— and  typically,  we  find  that  the  people 
with  the  best  IT  forensic  skills  don’t  have  the  right  investigative 
mind-set.” 

With  some  caveats,  Peter  Yapp  agrees.  Now  the  London- 
based  head  of  network  forensics  at  business  risk  consultants 
Control  Risks,  Yapp  actually  set  up  such  a  team  when  working 
for  the  United  Kingdom’s  customs  service  in  the  1990s. 

“In  establishing  our  computer  forensic  team,  what  we  did 
was  to  take  existing  customs  investigators  and  teach  them  IT 
forensics,  rather  than  attempting  to  do  it  the  other  way  round,” 
he  explains.  “It  worked,  but  we  were  probably  lucky  in  hav¬ 
ing  people  with  a  reasonable  IT  background  already.  I’m  not 
sure  you  could  take  any  investigator  and  get  them  up  to  speed 
in  forensics— just  as  you  can’t  take  any  IT  technician  and  turn 
them  into  an  investigator.” 

THE  INVESTIGATIVE  MIND 

Indeed,  Yapp  argues,  the  “forensic”  part  of  the  job  description 
probably  obscures  the  essential  aspect  of  the  role  that  is  com¬ 
mon  to  both  physical  and  IT  forensic  investigators:  solid  inves¬ 
tigative  skills. 

“What  I  look  for  is  someone  who  can  speak  both  languages: 
the  language  of  computers  and  the  language  of  the  real  world,” 
he  says.  “More  importantly,  though,  I  want  people  who  don’t 
give  up,  who  look  around  them  and  observe  what’s  going  on, 
and  who  see  and  then  act  upon  anomalies.  It’s  not  just  about 
looking  for  keywords  on  a  disk— it’s  about  picking  up  signs  that 
something  isn’t  right.” 

SSC’s  Gavish  concurs.  The  mind-set  is  important,  he 
stresses— and  ultimately  determines  whether  an  investigation 
is  staffed  by  two  specialist  skill  sets  or  one  person  with  both. 
“The  physical  investigator  will  want  to  stay  close  to  his  comfort 
zone  of  traditional  investigative  approaches,  while  the  IT  foren¬ 
sic  person  is  going  to  feel  most  at  home  with  the  IT  tools  and 
techniques  he  or  she  is  most  familiar  with,”  he  says.  “If  you  can’t 
break  that,  then  it’s  best  to  double- staff  and  task  people  to  do 
individual  parts  of  the  overall  investigation.”  ■ 


Malcolm  Wheatley  is  a  freelance  writer  based  in  the  U.K.  Send  feed¬ 
back  to  Editor  Derek  Slater  at  dslater@cxo.com. 


September  2008  www.csoonline.com  29 


<»?  ’  w  ' 


Wm 


SAFETY  AND  SECURITY 


Curtis  Shewchuk, 

CSO  of  Con-way 
Freight:  Cooperation 
is  valuable,  but  both 
security  and  safety 
still  require  specialist 
knowledge 


Security  and  safety  often  go  hand  in  hand,  but 
sometimes  they  conflict.  Here  are  ways  to  cooperate 
to  achieve  both  departments'  goals.  By  Fred  Hapgood 


In  1999,  the  Massachusetts  state  fire  marshal  issued  a 
cautionary  advisory  about  a  new  security  product:  a  sur¬ 
veillance  camera  designed  to  look  like  a  smoke  detector. 
“This  action  has  created  a  great  concern  for  us  in  the  fire 
service,”  Stephen  Coan  said.  “If  this  [security  cameras 
as  smoke  detectors]  becomes  widely  known,  we  feel  that 
the  lives  of  people  will  be  placed  in  jeopardy.  Out  of  fear  of 
being  watched  and  the  loss  of  privacy,  it  is  possible  that  people 
will  begin  to  cover  over  smoke  detectors,  endangering  their 
lives....”  Marshal  Coan  was  not  alone  in  his  concern:  In  2004, 
New  York  officials  forced  local  outlets  to  stop  selling  the 


Photo  by  David  Deal 


September  2008  www.csoonline.com  31 


SAFETY  AND  SECURITY 


device  for  many  of  the  same  reasons. 

Whatever  else  this  incident  might  teach, 
it  certainly  illustrates  the  complex  relation 
of  safety  to  security.  On  one  hand,  the  mis¬ 
sions  have  much  in  common:  Both  are  con¬ 
cerned  with  the  integrity  of  systems  and 
the  protection  of  people.  Yet  there  are  also 
deep  differences:  Safety  defends  against 
outcomes  that  are  unintended;  security, 
against  planned  malevolence.  Security  is 
comfortable  with  the  languages  of  incen¬ 
tives  and  probability;  safety,  less  so.  Safety  is 
usually  defined  by  area  (Is  this  a  safe  neigh¬ 
borhood?);  security,  by  systems.  Safety 
is  a  state  of  mind;  security  is  a  procedure. 
Safety  concerns  itself  with  people;  security 
worries  about  assets,  which  include 
but  are  not  confined  to  people.  Secu¬ 
rity  divides  the  population  into  good 
people  and  bad  people;  safety  treats 
everyone  alike. 

At  least  potentially,  these  varia¬ 
tions  can  spark  conflicts.  Security 
and  safety  are  both  interested  in 
access,  but  security  likes  to  see 
small  numbers  of  well -identified 
people  moving  slowly,  while  safety 
wants  the  option  of  evacuating  large 
numbers  rapidly,  without  regard  to 
identity.  Safety  might  want  to  clean 
up  scenes  of  incidents;  security,  to 
secure  sites  and  preserve  evidence. 

Safety  systems  like  to  be  conspicu¬ 
ous,  generally  accessible  and  simple 
to  operate;  security  might  have  sec¬ 
ond  thoughts  about  all  those  vir¬ 
tues.  (And  then  sometimes  security 
likes  to  be  conspicuous,  while  safety 
might  have  objections,  as  in  a  store 
or  school.) 

Chemicals  security  is  advanced  signifi¬ 
cantly  by  underground  storage;  the  EPA, 
which  is  charged  with  ensuring  the  safety  of 
underground  water  reserves  and  is  there¬ 
fore  concerned  with  leaks,  makes  that  diffi¬ 
cult.  “EPA  regulations  on  chemical  storage 
tanks  do  not  specifically  address  security, 
nor  do  they  seek  to  balance  security  versus 
environmental  protection,”  observes  Rox¬ 
anne  Smith,  press  officer  at  the  EPA. 

Exactly. 

Managing  this  relationship  can  there¬ 
fore  be  complex.  Differences  create  cul¬ 
tural  barriers,  and  barriers— silos  in  the 
organizational  context— can  slow  the  dif¬ 
fusion  of  good  ideas.  For  instance,  some 


feel  that  safety  has  been  slow  to  embrace 
security  cameras,  even  for  such  simple  and 
straightforward  applications  as  incident 
review  and  training,  and  for  monitoring 
procedure  compliance.  Sloan  Foster,  VP 
of  marketing  for  ArmidaWare,  a  company 
in  Austin,  Texas,  that  makes  surveillance 
equipment,  suspects  that  this  reluctance 
does  not  reflect  considered  policy  decisions 
as  much  as  simple  cultural  inertia.  “Safety 
people  just  haven’t  thought  much  about 
security  cameras,”  she  says.  Of  course  there 
is  a  chicken-and-egg  issue  here— so  long 
as  the  market  is  defined  around  security, 
which  is  what  market  development  will 
focus  on.  As  of  July,  not  even  Foster’s  own 


company  promoted  the  safety  applications 
of  its  products  on  its  site. 

So  one  obvious  task  of  smart  manage¬ 
ment  is  to  poke  holes— the  right  holes— in 
these  walls  between  security  and  safety. 
David  (“Mike”)  Hager,  enterprise  security 
officer  at  Unisys,  had  a  university  client 
come  in  after  the  Virginia  Tech  shootings 
with  an  interest  in  using  cameras  and 
remotely  controlled  locks  to  advance  stu¬ 
dent  safety.  The  idea  was  to  give  safety  offi¬ 
cers  enough  intelligence  to  unlock  the  doors 
that  might  be  impeding  student  evacua¬ 
tions  while  locking  or  relocking  those  that 
would  confine  the  source  of  the  threat— all 
without  traveling  physically  to  the  doors  in 


question.  “This  was  a  case  of  safety  driving 
security,  which  does  not  happen  that  often,” 
Hager  says.  (While  the  first  iterations  of  the 
project  design  proved  financially  impracti¬ 
cal,  conversations  are  continuing.) 

Common  Ground 

Another  useful  exercise  of  management 
might  be  to  find  points  of  overlap  between 
the  two  missions,  identifying  places  where 
each  can  advance  the  mission  of  the  other 
with  small  investments  in  training  and 
equipment.  For  instance,  the  key  operating 
responsibilities  in  the  food  sector  are  detect¬ 
ing  food  contamination,  economic  fraud  (in 
which  a  contracted  input  is  switched  sur¬ 
reptitiously  for  a  cheaper  one)  and 
threats  to  salability  (bruising,  spoil¬ 
age).  All  these  require  high  levels 
of  surveillance,  which  means  that 
almost  everyone  working  on  the 
floor  of  a  food  manufacturer  or  dis¬ 
tributor  is  already  so  alert  to  unex¬ 
plained  and  unexpected  changes 
that  security  functions  can  be  added 
cheaply.  If  you  are  already  checking 
tank  outlets  to  make  sure  they  are 
capped  (to  avoid  contamination  from 
rain  or  dust),  checking  the  locks  on 
the  caps  is  a  small  step. 

However,  as  with  cameras,  gain¬ 
ing  leverage  across  the  cultural 
divide  does  not  happen  automati¬ 
cally.  “Food  defense”  (this  industry 
uses  the  term  defense  where  other 
sectors  use  “security,”  since  here 
the  term  security  is  used  to  refer 
to  sustainability)  hasn’t  been  part 
of  the  traditional  mind-set  of  food 
processing  workers.  “People  just 
didn’t  think  of  calling  the  FBI,”  says  Gary 
Ades,  a  food  safety  and  defense  consultant 
in  Bentonville,  Ark.  John  Spink,  director  of 
the  Packaging  for  Food  and  Product  Protec¬ 
tion  Initiative  at  Michigan  State  University, 
believes  that  managing  the  security- safety 
overlap  in  this  sector  requires  defining  and 
enforcing  clear,  simple,  intuitive  and  rou¬ 
tine  communication  procedures.  If  it  is  use¬ 
ful  for  protective  purposes  to  know  about 
unusual  patterns  in  salability  rejections,  the 
right  way  to  distribute  that  information  is 
to  gather  and  report  it  routinely,  as  opposed 
to  leaving  it  to  each  worker  to  think  through 
the  merits  of  each  specific  case. 

Often,  the  leveraging  of  these  overlaps 


Greg  Halvacs,  CSO  of  Cardinal  Health:  Cross-training  can 
help  lower  travel  and  other  costs  associated  with  security 
and  safety  audits 


32  www.csoonline.com  September  2008 


Photo  by  Stephen  Webster 


q  v 


IDfclN  I  II  Y 

AND  ACCESS 

MANAGEMENT 


i 

l  _  . 


SUN  and  CSC  ,« 

Creating  DigitafTrust 

For  more  information  about  how  CSC  and  Sun  can  help  you 
with  your  Identity  and  Access  Management  program  please 
e-mail  acoupe@csc.com,  , 

•  *'  ,  '  * 

To  watch  a  compelling  video  on  the  importance 

of  identity  management  in  today’s  world,  go  to 
http:/^cscmedia.s3.amazonaws.com/ShadowOfDoubt.wmv 


www.csc.com 

www.sun.com 


+Sun, 

miQrosystems 


f 


fi 


\ 


» 


i 


0 


SAFETY  AND  SECURITY 


kk 


>  *  *u>  1 0- 


■  '  V%\,. 


'  A  A  '  * 


*  .  .4* 


**’  A,  V .  4 


V  - 


'T«* 


•"■A*  ■ 

,  I  '  *■  *■  •  ’ 


The  financial  implications  off 
.broader  standards  are  stich  that  ^1 
;  f  safety  professionals  are  going  to 
tae  jnvdlved  from  the  very  start 
in  project  design,  including  bid 
k  preparation.  ^ 

•  ’  H*  J  . 

K  1  >  - 


HUB 

■  ■  «■ 

■’  :  .  *  V.  ■. 


>*  ' 


Tv,' 


a- 


-> 


;  '  ,«#r  _ 

‘  *  *■  H 


’m*. . 


A  *.  *  ■= 


•r  /.  •  •  •  *  -  v  vr  V'  >  -  •  -f  -  * 

*- .  t#  .  •  -  -■* 


%  "•  % 

ta  >  ( 


*•  V  pi 


4p\, 

■  M 


\iV  *t  • 


works  by  circulating  personnel  across 
missions.  Greg  Halvacs,  CSO  of  Cardinal 
Health,  a  medical  products  and  services 
company  in  Dublin,  Ohio,  uses  security 
audits  to  ask  safety-related  questions  (Do 
you  have  a  lockout,  tag-out  program  in 
place?  Let  me  see  your  loss-time  accident 
log  sheet.)  and  safety  audits  to  ask  secu¬ 
rity  questions  (Do  you  do  background 
checks?).  He  says  the  practice  saves  travel 
costs  and  reduces  the  time  that  field  sites 
have  to  spend  dealing  with  audit  commit¬ 
tees.  Sometimes  the  security  coordinator  at 
a  site  becomes  the  full-time  safety  contact; 
at  other  sites,  safety  people  are  tasked  with 
asset  security,  taking  inventory  of  items 
and  equipment  on  a  site,  and  monitoring 
the  presence  (or  absence)  of  subcontractors. 
While  examples  can  be  found  of  both  flavors 
of  integration— moving  security’s  respon¬ 
sibilities  to  safety  and  safety’s  to  security— 
the  former  seems  more  common,  perhaps 
because  in  certain  industries,  safety  is 
usually  more  heavily  manned  and  is  more 
familiar  with  the  operating  landscape. 

Emergency  response  or  disaster  pre¬ 
paredness  units  are  often  textbook  cases 
of  integration.  United  Rentals  of  Green¬ 
wich,  Conn.,  rents  items  such  as  generators 
and  chain  saws,  which  can  be  critical  for 
advancing  both  safety  and  security  after  a 
disaster.  As  a  result,  UR  places  a  priority  on 
having  outlets  in  disaster  areas  up  and  run¬ 
ning  very  quickly  after  an  event,  regardless 
of  the  damage  their  branch  might  have 
experienced,  or,  indeed,  whether  there  had 
been  a  preexisting  UR  branch  in  that  area 
at  all. 

According  to  Steven  Baird,  VP  of  cor¬ 
porate  security,  UR  keeps  a  small  fleet  of 
reaction  trailers  in  the  parts  of  the  U.S.  most 
likely  to  be  affected  by  hurricanes  or  tor¬ 
nadoes.  When  there  is  a  disaster,  a  trailer 
drives  to  the  heart  of  the  affected  area.  “If 
an  unplanned  disaster  hits,  we  can  usually 


get  to  a  site  in  12  hours  or  less,”  Baird  says. 
“If  we  have  any  warning,  as  with  a  hurri¬ 
cane,  we’re  ready  to  go  as  soon  as  the  storm 
has  blown  through.”  These  trailers  carry 
everything  necessary  to  support  a  UR 
presence  until  a  new  building  is  found  or 
built,  from  staff  facilities  (a  kitchen,  a  bath¬ 
room,  sleeping  quarters,  satellite  uplinks) 
to  emergency  gear  (fencing,  ladders,  saws, 
traffic  cones,  rain  gear).  Trailer  staff  have 
been  trained  in  emergency  medical  proce¬ 
dures  and  First  Responder  protocols.  They 
do  safety  (checking  for  downed  wires  and 
leaking  fuel),  security  (setting  up  a  corral 
with  illuminated  fencing)  and  business 
resumption  (organizing  connections  with 
supply  trucks). 

Finding  Balance 

However,  it  is  easy  to  overshoot  this  busi¬ 
ness  of  integration.  Departments  have  their 
logic,  silos  are  not  all  bad  and  there  are 
returns  to  specialization  and  autonomy. 
Curtis  Shewchuk,  CSO  of  Con-way  Freight, 
points  out  that  in  recent  years,  safety  has 
extended  into  wellness  programs  and  sus¬ 
tainability  or  green  issues,  and  security,  into 
family  and  executive  protection  and  partici¬ 
pation  in  C-TPAT  (Customs-Trade  Partner¬ 
ship  Against  Terrorism),  the  Customs  and 
Border  Protection  initiative  intended  to 
secure  the  integrity  of  supply  chains  that 
pass  in  and  out  of  the  U.S. 

At  the  same  time,  Shewchuk  adds,  even 
where  responsibilities  remain  the  same, 
expectations  about  the  execution  of  both 
missions  have  changed.  Increasingly,  both 
security  and  safety  are  expected  to  think  of 
threats  proactively,  before  circumstances 
drop  them  in  our  laps.  It  takes  real  exper¬ 
tise  to  tell  the  difference  between  the  poten¬ 
tialities  that  need  to  have  resources  thrown 
at  them  right  now  and  those  that  are  too 
unlikely  to  worry  about.  Second,  sup¬ 
ply  chains  are  becoming  more  integrated, 


requiring  companies  to  coordinate— and 
therefore  be  aware  of— the  safety  and  secu¬ 
rity  protocols  of  clients  and  partners  up 
and  down  the  chain.  Again,  very  demand¬ 
ing  tasks.  The  professionals  involved  with 
them  do  not  have  time  to  wear  two  hats. 

Pete  Wilcox,  large -account  director  of 
Travelers  Construction  (a  unit  of  the  big 
insurance  company),  sees  safety  profes¬ 
sionals  turning  into  full-fledged  risk  man¬ 
agement  experts.  In  the  old  days,  he  says, 
“safety  meant  enforcing  the  compliance 
of  your  own  workers  on  your  own  site  to 
OSHA  regulations.  In  those  days,  the  sole 
remedy  for  workplace  injuries  was  work¬ 
ers’  compensation.  But  liability  exposure 
has  expanded  dramatically,  and  today  we 
enforce  a  much  broader  standard  of  care. 
If  we  tear  up  a  sidewalk,  we  have  to  know 
who  had  been  walking  on  that  sidewalk 
and  where  they  were  going  and  how  they 
will  be  affected  by  our  project.  None  of  that 
is  addressed  anywhere  in  OSHA.”  Wilcox 
thinks  that  the  financial  implications  of  this 
broader  standard  are  such  that  safety  pro¬ 
fessionals  are  going  to  be  involved  from  the 
very  start  in  project  design,  including  bid 
preparation.  “We  see  ourselves  as  leading 
this  change,”  he  says,  “but  eventually  it  will 
affect  everyone.” 

Clearly  these  issues  are  only  going  to 
grow  more  complex.  Years  ago  I  was  having 
a  casual  conversation  with  Tim  Overton, 
chief  process  safety  engineer  at  Dow  Chem¬ 
ical.  I  asked  him  to  speculate  as  to  the  core 
mission  of  his  profession  over  the  next  10 
years.  He  didn’t  hesitate:  “Reconciling  and 
integrating  safety  and  security,”  he  said.  At 
the  time,  I  didn’t  even  know  what  he  meant, 
but  today,  looking  back,  that  turns  out  to  be 
one  of  the  better  forecasts  I’ve  heard.  ■ 


Fred  Hapgood  is  a  freelance  writer  based  in 
Boston.  Send  feedback  to  Editor  Derek  Slater 
at  dslater@cxo.com. 


34  www.csoonline.com  September  2008 


How  do  you  leverage  your 
information  security  investment? 
How  can  a  well-integrated  plan  help 
you  mitigate  risk  while  maximizing 
your  business  objectives?  These 
are  the  questions  we  help  our  clients 
answer— working  together  while 
sharing  our  knowledge  of  how 


information  security  can 
help  improve  your  business. 

To  learn  more  about  how  we  can 
help  you  turn  a  compliance 
enabler  into  a  business  enabler, 
visit  www.pwc.com/security 


©2008  PricewaterhouseCoopers  LLP.  All  rights  reserved.  “PricewaterhouseCoopers”  refers  to  PricewaterhouseCooperaltO^'-W^st^^ 
PricewaterhouseCoopers  global  network  or  other  member  firms  of  the  network,  each  of  which  is  a  separate  and  independent  legal  ent  # 
a  trademark  of  PricewaterhouseCoopers  LLP  (US). 


*connectedthinking 


INTERVIEW 


Intelligence 

Quotient 


It’s  been  five  years  since 

security  pioneer  Dan  Geer 
was  fired  from  @Stake  for 
cowriting  a  paper  warning 
that  a  Microsoft  monoculture 
threatened  national  security. 

The  firing  actually  helped 
cement  Geer’s  status  as  a 
security  luminary  and  has  led  to  a  wealth 
of  opportunities,  including  a  stint  as  vice 
president  and  chief  scientist  at  Verdasys, 
and  his  latest  role  as  CISO  for  In-Q-Tel, 
the  investment  arm  of  the  U.S.  intelligence 
community— particularly  the  Central 
Intelligence  Agency  (CIA). 

Geer,  a  member  of  Project  Athena  at 
MIT  during  the  creation  of  the  widely 
used  Kerberos  authentication  protocol, 
recently  sat  down  with  CSO  Senior  Editor 
Bill  Brenner  to  discusses  the  “gee-whiz” 
moments  he  now  enjoys  as  he  gets  a 
peek  at  some  of  the  latest  intelligence 
technology. 

He  also  explains  the  goal  behind  his 
recently  released  book,  Economics  and 
Strategies  of  Data  Security,  and  revisits  the 
monoculture  debate,  which  he  believes 
played  a  role  in  security  improvements  at 
Microsoft. 

CSO:  Last  time  we  spoke,  you  were  at  Ver¬ 
dasys.  Why  the  move  to  In-Q-Tel? 

Dan  Geer:  The  role  I  have  is  new,  partly 
the  classic  job  of  CISO,  and  they  have 
information  that  needs  to  be  handled 
properly.  Information  security  and  digital 
identity  management  are  important  for 
this  company  and  I  was  hired  to  help  with 


that.  I’m  obviously  on  the  technical  side. 

So  far,  the  gee-whiz  fascination  value  is 
pretty  high.  I’m  finding  that  the  elements 
that  are  not  my  specialties  are  the  most 
fascinating  parts  of  the  job. 

Such  as? 

A  ground  cover  that  changes  color  when 
its  roots  touch  land-mine  residue,  so  you 
can  plant  it  and  find  land  mines  without 
having  to  use  your  water  buffalo;  what 
looks  like  a  sheet  of  paper  which  is  actually 
lit  up,  three  times  the  efficiency  of  LEDs 
[light-emitting  diodes,  semiconductor 
diodes  that  emit  light  when  an  electrical 
current  is  applied  in  the  forward  direction 
of  the  device],  which  is  paper-thin  and 
can  be  cut  with  a  scissors;  and  the  ability 
to  extract  power  from  the  room  you  are  in. 
Powering  things  without  a  power  cord  is 
of  huge  interest  to  commercial  and  intel¬ 
ligence  entities. 

I’ve  also  found  that  the  nanotechnol¬ 
ogy  world  is  full  of  fascinating  things,  and 
I’ve  also  seen  a  handheld  spectrometer 
that  lets  you  tell  what  material  you’re 
looking  at— a  tool  that  came  out  of  carpet 
recycling,  of  all  things.  In  the  carpet  recy¬ 
cling  business,  it’s  evidently  a  bad  idea  to 
melt  down  your  polypropylene  with  your 
nylon.  The  spectrometer  was  invented  so 
the  recycling  people  could  sort  the  shreds 
into  the  proper  piles. 

What’s  the  most  difficult  issue  you’ve 
dealt  with  so  far  at  In-Q-Tel? 

The  hardest  question  I’ve  been  asked  is 
about  how  you  conduct  surveillance  in  a 


ecurity  pioneer 
n  Geer  on  his 
as  CISO 
in-Q-Tel 


M?.; 

..  • 


place  like  Second  Life  [the  Internet-based, 
virtual-world  video  game  developed  by 
Linden  Research].  The  question  spe¬ 
cifically  is,  How  do  you  do  collections  in 
Second  Life,  where  it’s  abundantly  obvious 
that  real  money  changes  hands  and  people 
who  talk  to  each  other  aren’t  necessarily 
who  they  appear  to  be?  It’s  the  hardest 
question  I’ve  heard  to  date.  Marketing 
people  who  are  exploring  this  for  entirely 
different  reasons  are  bound  to  stumble 
across  things  that  are  of  interest  to  the 
intelligence  community. 

Let’s  talk  about  the  book.  If  there’s  one 
point  you  want  readers  to  take  from  it, 
what  would  it  be? 


36  www.csoonline.com  September  2008 


Geer-isms 

Those  who  know  Dan  Geer  will  agree 
that  his  mental  prowess  often  leads 
to  some  pretty  colorful  one-liners. 
Here  are  some  examples,  taken 
from  past  interviews  and  keynote 
addresses  that  are  in  the  public  domain: 

“The  first  workstations  were  big, 
clunky  and  useless.  I  can’t  believe  we 
used  it  and  thought  it  was  cool.”  -A 
description  of  his  days  at  Project  Athena 
“If  Kerberos  is  defeated,  it 
won’t  be  because  someone  broke 
it  but  because  the  business  model 
it  supports  is  no  longer  rel¬ 
evant.”  -Response  to  a  question  about 
the  Kerberos  authentication  protocol 
“That  rather  dark  cloud  had  a 
rather  big  silver  lining.”  -On  his 
dismissal  from  ©Stake 

“information  is  an  asset  and  is 
quite  likely  something  that  must  be 
valued  in  the  way  you  would  value 
other  assets,  like  oil  and  the  refinery 
that  processes  it.”  -Regardingthe 
need  to  put  defenses  around  informa¬ 
tion  itself  rather  than  simply  securing 
the  perimeter 

“If  you  are  losing  a  game  you  can’t 
afford  to  lose,  change  the  rules.” 

-At  Source  Boston,  March  2008 


Information  is  an  asset  and  is  quite  likely 
something  that  must  be  valued  in  the  way 
you  would  value  other  assets,  like  oil  and 
the  refinery  that  processes  it.  If  you  are  at 
Exxon,  it  is  clear  you  have  a  complex  equa¬ 
tion  for  how  you  value  the  current  and  pre¬ 
dictable  lifetime  of  your  oil  refinery.  Why 
should  it  not  be  the  same  case  for  data? 

The  goal  is  to  assist  managers  in  under¬ 
standing  the  risks  and  costs  associated 
with  data  loss;  to  encourage  discussion 
around  the  economics  of  data  security; 
to  define  intelligent  data-centric  strate¬ 
gies;  and  to  develop  a  forward-looking 
approach  that  will  address  data  security 
needs  now  and  in  the  future. 


You’re  probably  immensely  tired  of  this 
topic,  but  let’s  revisit  the  Microsoft  mon¬ 
oculture  paper.  It  was,  in  hindsight,  one  of 
the  best  things  for  your  career. 

That  rather  dark  cloud  had  a  rather  big 
silver  lining. 

Much  has  happened  with  Microsoft  secu¬ 
rity  since  then.  Does  the  basic  warning  of 
that  paper  still  stand,  or  is  your  position 
more  relaxed  given  their  security  efforts? 

In  my  view  they  accepted  the  paper.  The 
proof  of  that  is  how  they  addressed  the 
location  randomization  that’s  in  [Win¬ 
dows]  Vista.  That’s  a  direct  attempt  to 
insert  diversity  in  the  name  of  creating 
as  a  side  effect  nonpredictability.  The 


argument  in  our  paper  was  that  there 
was  a  lack  of  diversity  that  produced  a 
level  of  predictability  [that  could  be  easily 
figured  out  and  exploited].  The  change  in 
Vista  has  made  it  so  that  a  certain  class  of 
exploits  has  gone  from  easy  to  hard.  Who 
can  argue  with  that? 

On  the  other  hand,  it’s  only  a  drop  in 
the  bucket.  There  are  other  monocultures 
out  there.  Dan  Kaminsky’s  Domain  Name 
System  (DNS)  flaw  is  an  example  of  that, 
as  is  the  fact  that  Cisco  infrastructure  is 
sitting  atop  the  backbone  of  the  Internet.  ■ 


Photo  by  Furnald/Gray 


September  2008  www.csoonline.com  37 


MANAGEMENT 


CRAIG  SHUMARD  HAS  been  with  health  benefits  com¬ 
pany  Cigna  for  27  years.  Working  his  way  up  in  different 
positions,  he  jumped  into  the  role  of  chief  information  secu¬ 
rity  officer  in  1999.  In  the  past  nine  years,  he’s  seen  more 
changes  in  technology  than  in  the  entire  two  decades  before 
that. 

Technological  advances  for  every  company  are  always 
both  a  welcome  addition  and  a  burden.  For  Cigna,  technol¬ 
ogy  has  also  meant  assessing  how  different  attitudes  among 
various  generations  are  going  to  impact  their  sensitive  data. 
New  mediums,  like  online  blogs  and  social  networking 
sites,  mean  employees  have  more  opportunities  to  discuss 
information  in  a  very  public  way. 

“What  I  see  more  among  the  younger  generation  now 
is  a  willingness  to  share  information,  while  Boomers 
and  other  older  employees  are  not  so  forthcoming,”  says 
Shumard. 

And  that’s  a  problem  when  you  are  a  health  benefits 
provider  with  26,000  employees— many  of  whom  are  han¬ 
dling  private  information  about  patients.  In  fact,  Cigna  has 


Bridging  the  Generation  Gap 


crafted  policies  around  the  appropriate  use  of  things  like 
blogs  and  wikis.  The  company  was  concerned  that  employ¬ 
ees,  especially  younger  ones,  who  blog  in  their  free  time, 
might  not  realize  what  was  appropriate  to  discuss  outside 
the  office. 

“The  challenge  becomes,  how  do  you  educate  and  raise 
the  level  of  awareness,  and  where  do  you  draw  the  line?” 
Shumard  says. 

The  generation  gap  is  a  term  that  has  been  used  for 
decades  to  describe  the  differences  between  people  in  vari¬ 
ous  age  groups.  Corporations  are  constantly  considering 
what  makes  different  generations  tick  when  it  comes  to 
recruiting  and  retaining  employees.  But  security  experts 
say  companies  also  need  to  examine  age-based  perspectives 
and  habits  when  it  comes  to  risk  assessment  and  policies. 

Cultural  analysts  generally  divide  today’s  personnel 
into  three  generations:  Baby  Boomers,  Generation  X  and 
Generation  Y  (also  known  as  Millennials).  The  stereotypes 
typically  go  like  this:  Gen  Y  employees,  workers  born  after 
1980,  are  tech-sawy  and  have  a  short  attention  span.  Baby 
Boomers,  bom  between  1946  and  1965,  are  loyal  and  depend¬ 
able:  the  original  workaholics.  And  Gen  X-ers,  once  known 
as  the  slacker  generation  and  bom  between  1965  and  1980, 


Boomers,  Gen  X  and 
Gen  Y  present  unique 
security  challenges  on  the 
job.  Do  your  employees 
know  what  types  of  risk 
they  create? 
By  Joan  Goodchild 


M 


www.csoonline.com 


September  2008 


Photo  by  Dominic  Episcopo 


.  iSR1* 

•39^? 

SaS-l 

(il&li 

mm 

mm 

M»§ i 

##1 if 

mm 


' 

mm$ 


Health  benefits  company  Cigna 
created  policies  to  help  the 
workforce  (especially  younger 
employees)  deal  appropriately 
with  wikis,  blogs  and  other 
social  media  tools,  says  CISO 
Craig  Shumard. 


MANAGEMENT 


tend  to  be  cynical  and  independent. 

Stereotypes  are  worthless  for  predict¬ 
ing  the  actions  or  reactions  of  any  one  indi¬ 
vidual.  Yet  these  generalizations  do  tend  to 
ring  true  in  many  organizations,  according 
to  Roberta  Chinsky  Matuson,  president 
of  Human  Resource  Solutions,  a  Massa¬ 
chusetts-based  consultancy  that  regularly 
advises  corporations  on  generational  dif¬ 
ferences.  Companies  need  to  find  ways  to 
relate  to  all  perspectives  in  order  to  diffuse 
what  she  terms  potentially  explosive  situ¬ 
ations.  “From  a  security  standpoint  there 
is  lots  of  opportunity  for  misunderstand¬ 
ings,”  says  Matuson.  “We  need  to  educate 
people  about  what  those  are.” 

According  to  HR  and  security  experts, 
workers  of  each  generation  are  engaging  in 
risky  behavior  of  different  types  and  may 
not  understand  how  their  habits  are  com¬ 
promising  a  company’s  risk  level. 

Cigna’s  concern  about  sensitive,  private 
information  that  may  make  it  into  the  blog- 
osphere  is  one  example.  Another  is  found 
in  recent  research  from  security  software 
maker  Symantec.  The  survey,  which  was 
released  earlier  this  year,  found  that  IT 
managers  are  at  odds  with  Millennial 
workers.  Among  respondents,  66  percent 
of  Millennial  said  they  use  Web  2.0  tech¬ 
nologies,  such  as  Facebook  and  YouTube, 
while  at  work.  Only  13  percent  of  older 
workers  admitted  to  logging  on  to  these 
kinds  of  websites  in  the  office.  Meanwhile, 
Symantec  also  surveyed  IT  managers,  and 
50  percent  said  they  have  policies  specifi¬ 
cally  banning  Web  2.0  applications  such  as 
social  networking,  iTunes,  streaming  video 
and  gaming  applications. 

“For  Millennial,  there  is  more  blurring 
of  the  lines  between  work  and  home,”  says 
Samir  Kapuria,  a  managing  director  with 
Symantec  Advisory  Consulting  Services, 
the  group  that  conducted  the  survey.  “They 
tend  to  use  what  they  have  at  home  while 
at  work,  and  this  is  really  forcing  corpora¬ 
tions  to  rethink  IT  risk  management.” 

The  risk,  according  to  Kapuria,  is  that 
Web  2.0  programs  are  a  huge  target  now  for 
phishing  scams  and  malicious  code  attacks. 
And  the  implications  from  these  Millennial 
habits  go  further  than  simply  putting  a  cor¬ 
porate  IT  infrastructure  at  risk  of  attack. 
There  are  privacy  issues  to  consider,  too. 

The  poll  found  that  younger  workers 
regularly  store  corporate  data  on  personal 


American  Water  Security  Director  Bruce  Larson 
says  younger  workers’  expectations  of  flexible 
work  schedules  and  telecommuting  options 
create  security  demands. 

devices,  such  as  PCs  and  USB  drives,  much 
more  than  their  older  counterparts.  This 
flies  in  the  face  of  the  75  percent  of  corporate 
IT  managers  who  said  they  have  policies 
that  restrict  corporate  data  and  information 
on  personal  devices.  Symantec  also  found 
that  85  percent  of  corporate  IT  managers 
have  policies  restricting  download  and 
installation  of  software  on  work  PCs  for 
personal  use. 

Bruce  Larson,  security  director  with 
American  Water,  a  Voorhees,  N.J.-based 
tap-water  supply  company,  says  younger 
generations  also  demand  more  flexible 
schedules  and  work-at-home  arrangements, 
which  poses  other  security  challenges. 

“That  means  that  sensitive  teleconfer¬ 
ence  is  now  coming  into  the  home  of  an 
employee,”  says  Larson.  “They  are  bringing 
the  workplace  into  the  home.” 


Education  for  Both  Young 
and  Old 

IN  KAPURIA’S  OPINION,  the  key  to 
minimizing  risk  from  younger  workers  is 
education.  “I  don’t  think  there  is  any  kind 
of  malicious  intent  or  rebellion  on  the  part 
of  this  generation,”  says  Kapuria.  “Compa¬ 
nies  should  consider  education  programs 
tailored  to  this  audience  as  part  of  their 
security  approach.” 

However,  educating  older  workers  is 
equally  as  important,  according  to  Aaron 
Wilson,  chief  technology  officer  in  the  Man¬ 
aged  Security  Services  division  of  Science 
Applications  International  Corp.  Boomers’ 
lack  of  familiarity  with  new  technology 
may  make  them  a  risk,  too. 

“Gen  X/Y/Z  employees  often  under¬ 
stand  the  nuances  of  the  new  technolo¬ 
gies  they  bring,  whereas  Boomers  may  be 
equipped  with  the  same  technology  but 
not  as  familiar  with  all  of  the  functional¬ 
ity,”  Wilson  says.  “This  can  be  dangerous 
from  a  security  standpoint,  for  example, 


40  www.csoonline.com  September  2008 


Photo  by  Peter  Murphy 


EXECUTIVE 

VIEWPOINT 


ADVERTISEMENT 


Automated  Identity 
Management  Made  Simple 

The  key  to  a  successful  implementation  is  all  about 
shortening  your  project  cycle. 

Nelson  Cicchitto 

CHAIRMAN  AND  CEO,  AVATIER  CORP. 

A  career  IT  leader,  Cicchitto  joined  the  company  in  1995.  He  oversees  Avatier's 
overall  corporate  and  product  strategies,  and  commercialized  the  world's  first 
delegated  administration  solution  for  the  Microsoft  Windows  NT  platform. 


Automated  identity  management  prom¬ 
ises  accuracy,  consistency  and  efficiency. 
The  trick  to  a  successful  implementation 
and  a  better  ROI,  says  Cicchitto,  is  short¬ 
ening  your  project  cycle.  An  elongated 
cycle  presents  too  many  variables— from 
politics  to  cost  overruns— that  put  even 
the  best-laid  plans  at  risk.  Read  on  for 
more  insights  from  Cicchitto. 

What  is  the  promise  of  automated 
identity  management? 

It’s  all  about  making  business  processes 
more  tightly  integrated  to  run  more  ef¬ 
ficiently  and  consistently.  For  example, 
with  automated  identity  management, 
one  of  your  most  strategic  investments— 


the  HR  system— can  trigger  new  em¬ 
ployee  access  as  well  as  termination.  This 
integration  offers  accuracy  and  consis¬ 
tency  across  systems  and  transparency  to 
the  business.  It  also  provides  additional 
business  benefits  such  as  cost  reduction, 
increased  efficiency,  improved  security 
and  compliance. 

Why  is  it  proving  to  be  such  an  elusive 
goal  with  traditional  solutions? 

Enterprises  haven’t  achieved  their  goals 
because  legacy  products  are  very  re¬ 
source-  and  time-intensive.  They’re  based 
on  old  technology  that  requires  a  lot  of 
integration  via  scripting  and  program¬ 
ming.  This  demands  a  constant  stream 
of  on-site  consultants  and  programmers 


for  deployment  and  on-going  mainte¬ 
nance.  The  likely  result  is  that  you’ll  be  off 
schedule,  over  budget  and  will  potentially 
jeopardize  the  entire  project. 

What  should  CIOs  look  for  in  the  right 
identity  management  solution? 

The  safest  and  most  cost-effective  choice 
is  one  that  keeps  you  in  control,  not  the 
consultants.  For  example,  you  should 
ensure  that  it  can  be  managed  by  your 
internal  staff  even  as  the  business  grows 
or  reorganizes— generating  increased 
economies  of  scale  as  you  add  more  users, 
roles,  workflows  and  applications.  Look 
for  features  such  as  point- and-click  role 
management  and  programming-free 


workflow  to  simplify  administration  and 
adapt  to  changes  in  the  business.  Also, 
ask  for  a  short  proof  of  concept.  If  the 
vendor  can  prove  that  its  solution  easily 
integrates  into  your  environment  and 
can  hit  aggressive  timelines,  your  risk  is 
relatively  low. 

How  can  CIOs  achieve  a  better  ROI 
from  identity  management? 

Identity  management  ROI  has  been 
adversely  affected  by  large  upfront 
professional  services  costs,  often  three 
times  or  more  the  cost  of  the  software, 
and  long  projects  that  delay  the  expected 
savings.  CIOs  should  select  a  solution 
that  has  more  functionality  built  into 
the  software  itself,  thereby  eliminating 


custom  programming  and  scripting. 

Not  only  does  this  reduce  professional 
services  costs  and  simplify  maintenance, 
it  greatly  shortens  the  implementation 
and  testing  cycles  required  before  going 
into  production.  ROI  is  also  accelerated 
by  taking  a  phased  approach— focusing 
on  the  highest  value  organizational  units, 
applications,  roles  and  workflow. 

What  differentiates  Avatier's  offering? 

We've  changed  the  economics  of  identity 
management— going  from  project  time¬ 
lines  and  costs  driven  by  extended  profes¬ 
sional  services  engagements  to  a  focused 
methodology  that  accelerates  assessment, 
proof  of  concept  and  deployment.  This 
greatly  reduces  TCO  and  delivers  mea¬ 
surable  results.  Avatier  and  its  integra¬ 
tion  partners  do  in  four  weeks  or  less 
what  others  do  in  four  months.  Our  Web 
services  architecture,  programming-free 
workflow  and  drag-and-drop  interfaces 
dramatically  reduce  the  need  for  external 
services— allowing  CIOs  and  IT  direc¬ 
tors  to  remain  in  control  of  their  identity 
management  project. 


FOR  MORE  INFORMATION: 

Check  out  the  white  paper  "User  Provi¬ 
sioning  On-time  and  On-budget" 
at  www.avatier.com/evp.htm 


CSO 

Custom  Solutions  Group 


Automated  identity  management  is  all  about 
making  business  processes  more  tightly  integrated 
to  run  more  efficiently  and  consistently 


MANAGEMENT 


when  understanding  the  subtle  difference 
between  encrypted  e-mail  on  a  corporate 
RIM  device  versus  an  unencrypted  e-mail 
on  an  iPhone.  To  the  uninitiated,  it’s  all 
e-mail.  To  the  security  team,  it’s  safety 
versus  possible  unintentional  exposure  of 
sensitive  data.” 

Larson  sees  education  as  an  opportunity 
to  plug  holes  in  one’s  risk  level.  Technology 
proliferation  is  not  something  that  can  be 
prevented  with  policy,  he  says.  Organiza¬ 
tions  need  to  adapt  to  having  them  as  part 
of  the  office  culture.  “This  really  falls  under 
the  category  of  hard  technology  introduc¬ 
tions,”  he  says.  “As  these  Web  2.0-type 
services  evolve  and  become  more  the  enter¬ 
prise  standard,  more  people  across  multiple 
generations  are  going  to  use  them.” 

Accessing  Security  Habits 

SECURITY  CONSULTANT  JACK  Dowling 
remembers  a  simpler  time  when  it  came  to 
building  access  and  security. 

“There  was  a  time  when  a  new  system 
was  put  in  place  and  there  was  an  under¬ 
standing  that  it  took  time  to  get  used  to. 
Now,  as  soon  as  something  doesn’t  work...,” 
Dowling  trails  off,  sounding  like  an  age- 
wise  veteran  reminiscing  about  the  old 
days.  “There  are  always  going  to  be  bugs  in 
electronics.  But  now  glitches  are  perceived 
as  incompetence  on  the  part  of  the  company 
to  work  properly.” 

Dowling,  president  of  JD  Security  Con¬ 
sultants  in  Pennsylvania,  has  a  resume 
in  the  field  that  dates  back  to  the  ’70s.  He 
thinks  both  a  high  level  of  technical  profi¬ 
ciency,  coupled  with  a  lot  of  impatience  on 
the  part  of  younger  workers,  makes  it  dif¬ 
ficult  for  organizations  to  smoothly  inte¬ 
grate  new  security  systems  and  policies 
these  days. 

But  despite  their  youth,  it’s  actually 
not  Millennials  who  Dowling  thinks  pose 
the  biggest  threat  when  it  comes  to  access. 
Instead,  their  slightly  older  peers  are  the 
ones  you  might  want  to  watch  out  for  if 
you  are  concerned  about  access.  While 
Gen-Xers  have  matured  and  evolved  con¬ 
siderably  beyond  their  so-called  rebellious 
earlier  days,  Dowling  says  it  is  still  impor¬ 
tant  to  watch  out  for  this  group,  which  in 
today’s  workforce  means  workers  between 
28  and  43  years  old. 

“They  like  to  reject  the  rules.  The  have 
their  own  way  of  doing  things,”  says  Dowl¬ 


ing.  “They  tend  to  look  for  ways  around  the 
system,  may  not  realize  the  security  value 
and  are  probably  less  likely  to  comply.” 

On  the  other  hand,  Millennials,  a  group 
whose  young  lives  were  defined  by  9/11  and 
are  comfortable  with  high-security  sys¬ 
tems,  are  more  likely  to  comply,  says  Dowl¬ 
ing.  But  then  there  is  that  impatience  and 
short  attention  span  thing  again. 

“Queuing  problems,  for  instance,” 
Dowling  says.  “They  may  be  more  likely 
to  get  frustrated  and  less  likely  to  comply 
if  that  is  the  case.”  Queuing,  or  waiting  in 
line,  can  sometimes  be  an  issue  in  a  secu¬ 
rity  system,  depending  on  how  entry  con¬ 
trol  works,  Dowling  notes.  For  example,  an 


these  younger  workers  don’t  hear  them.  It’s 
that  they  listen  in  a  different  way.”  In  other 
words,  have  patience.  Understand  that  just 
because  a  Millennial  is  texting  in  a  meeting, 
he  is  still  listening.  Of  course,  he  is  account¬ 
able  for  the  information  being  presented, 
like  all  attendees.  If  the  concept  seems  a 
little  hard  to  swallow,  consider  Matuson’s 
next  piece  of  advice. 

“I  often  say  to  clients:  ‘When  is  the 
last  time  you  successfully  changed  your 
children's  ways?  You  need  to  change  your 
approach  instead.’” 

Joseph  A.  Kinney,  a  security  consultant 
in  Pinehurst,  N.C.,  often  advises  clients  to 
develop  mentor  programs.  “I  think  it’s  great 


“Gen  X/Y/Z  employees  often  understand 
the  nuances  of  the  new  technologies 
they  bring,  whereas  Boomers  may  be 
equipped  with  the  same  technology  but  not 
as  familiar  with  all  of  the  functionality." 

-AARON  WILSON,  CHIEF  TECHNOLOGY  OFFICER, 
SCIENCE  APPLICATIONS  INTERNATIONAL  CORP. 


optical  turnstile  or  other  system  of  control 
may  have  a  line.  Impatient  users  may  view 
this  as  a  waste  of  time  and  try  to  gain  access 
through  an  exit  door  and  bypass  the  secu¬ 
rity  protocol  for  entry,  he  says. 

And  as  for  his  own  Boomer  generation? 

“A  new  system  comes  into  place  and 
they  have  an  understanding  that  it  is  there 
for  a  reason.  They  are  going  to  use  it  and  use 
it  the  right  way.” 

Spoken  like  a  true  Boomer. 

Can’t  We  All  Just  Get  Along? 

ALL  THESE  DIFFERENT  perspectives  can 
no  doubt  lead  to  tension  among  workers. 
Workplace  confrontation  is  a  real  concern 
when  it  comes  to  generational  differences, 
according  to  Matuson. 

Understanding  different  styles  of  com¬ 
munication  is  the  first  step  to  easing  the 
frustration  many  older  workers  may  have 
about  their  youthful  colleagues. 

“Some  of  my  more  mature  clients  think 
younger  people  are  from  another  planet  and 
don’t  have  any  respect  for  their  elders,”  she 
says.  “I  think  what  some  of  the  older  work¬ 
ers  need  to  understand  is  that  it’s  not  that 


if  a  50-year-old  can  just  go  to  lunch  with  a 
20-year-old  and  discuss  things,”  he  says. 

Hip  to  Be  Secure 

WHEN  IMPLEMENTING  SECURITY 
policies  and  systems,  corporations  need 
to  remember  that  each  generation  will  see 
them  differently  and  adhere  in  their  own 
way.  And  in  some  cases,  the  system  may 
be  intimidating  for  mature  employees  who 
aren’t  used  to  technology. 

Matuson  points  to  a  story  she  heard 
from  an  older  client  who  was  waiting  in  a 
lobby  for  a  job  interview.  As  he  watched 
scores  of  younger  workers  breeze  through 
the  building’s  very  high-tech  screening  sys¬ 
tem,  he  said  he  had  one  thought:  “I’m  not 
cool  enough  to  work  here.” 

“How  effective  is  a  security  system  if 
it’s  keeping  potentially  valuable  employees 
away?”  Matuson  points  out.  Organizations 
should  remember  that  when  going  forward 
and  make  sure  every  group  is  considered, 
she  says.  ■ 


Reach  Senior  Editor  Joan  Goodchild  at 
jgoodchild@cxo.com. 


42  www.csoonline.com  September  2008 


Art  Credit 


ACCESS  intelligence. 


HID’s  EDGE  access  control  solutions  are  designed  to  fully  leverage  your 
company’s  IT  infrastructure,  eliminating  controllers  and  connecting  easily 
with  a  network  cable  to  each  door.  Simple  to  install  and  administrate, 
EDGE  creates  tangible  cost  savings,  while  using  very  little  bandwidth. 

And,  of  course,  you  also  get  the  security,  reliability  and  support  that  have 
made  us  the  top  name  in  physical  access  control.  EDGE  from  HID.  It’s  a 
natural  move  for  the  network.  We  call  it  bringing  intelligence  to  the  door.  Ej 

~rd 

_Q 

_o 

tXO 

70 

Please  visit  HID  Global  at  ASIS  2008,  booth  #1611 


prli— c 

LUUC 


HID  Global,  the  world  leader  in  access  control, 
brings  you  EDGE™-  efficient  and  trouble-free 
IP-based  solutions  to  extend  the  network  to 

your  company’s  doors. 


You  know 
access  points. 
Gateways. 
Portals. 

Doors  are 
a  natural. 


[  INDUSTRY  VIEW] 

By  Bruce  Schneier 


Security  ROI:  Fact  or  Fiction? 

ROI  is  a  big  deal  in  business,  but  it’s  a  misnomer  in  security.  Make  sure  your 
financial  calculations  are  based  on  good  data  and  sound  methodologies. 


Return  on  investment,  or  ROI, 
is  a  big  deal  in  business.  Any 
business  venture  needs  to 
demonstrate  a  positive  return 
on  investment,  and  a  good  one 
at  that,  in  order  to  be  viable. 

It’s  become  a  big  deal  in  IT  security,  too. 
Many  corporate  customers  are  demand¬ 
ing  ROI  models  to  demonstrate  that  a  par¬ 
ticular  security  investment  pays  off.  And  in 
response,  vendors  are  providing  ROI  mod¬ 
els  that  demonstrate  how  their  particular 
security  solution  provides  the  best  return 
on  investment. 

It’s  a  good  idea  in  theory,  but  it’s  mostly 
bunk  in  practice. 

Before  I  get  into  the  details,  there’s  one 
point  I  have  to  make.  “ROI”  as  used  in  a 
security  context  is  inaccurate.  Security  is 
not  an  investment  that  provides  a  return, 
like  a  new  factory  or  a  financial  instrument. 
It’s  an  expense  that,  hopefully,  pays  for 
itself  in  cost  savings.  Security  is  about  loss 
prevention,  not  about  earnings.  The  term 
just  doesn’t  make  sense  in  this  context. 

But  as  anyone  who  has  lived  through 
a  company’s  vicious  end-of-year  budget¬ 
slashing  exercises  knows,  when  you’re  try¬ 
ing  to  make  your  numbers,  cutting  costs  is 
the  same  as  increasing  revenues.  So  while 
security  can’t  produce  ROI,  loss  prevention 
most  certainly  affects  a  company’s  bottom 
line. 

And  a  company  should  implement  only 
security  countermeasures  that  affect  its 
bottom  line  positively.  It  shouldn’t  spend 
more  on  a  security  problem  than  the  prob¬ 
lem  is  worth.  Conversely,  it  shouldn’t  ignore 
problems  that  are  costing  it  money  when 
there  are  cheaper  mitigation  alternatives.  A 
smart  company  needs  to  approach  security 
as  it  would  any  other  business  decision: 


costs  versus  benefits. 

The  classic  methodology  is  called 
annualized  loss  expectancy  (ALE),  and 
it’s  straightforward.  Calculate  the  cost  of  a 
security  incident  in  both  tangibles  like  time 
and  money,  and  intangibles  like  reputation 


and  competitive  advantage.  Multiply  that 
by  the  chance  the  incident  will  occur  in  a 
year.  That  tells  you  how  much  you  should 
spend  to  mitigate  the  risk.  So,  for  example, 
if  your  store  has  a  10  percent  chance  of  get¬ 
ting  robbed  and  the  cost  of  being  robbed  is 


44  www.csoonline.com  September  2008 


Photo  by  iStockphoto.com 


Secure  sensitive  information  with 


Fulfilling  your  obligation  to  protect  sensitive  data  protects  your  business,  it  keeps  your  brand  safe 
It  helps  you  comply  with  regulations.  It  safeguards  your  employees  and  customers. 

Protegrity  is  proud  to  deliver  the  Defiance®  Security  Suite,  a  comprehensive  Data  Security 
Management™  solution  designed  to  protect  data,  protect  web  applications  and  centrally  manage 
and  report  on  security  policy.  Defiance®  Security  Suite  meets  the  cross-platform  requirements  of  the 
distributed  enterprise  by  providing: 

•  Encryption  for  applications,  databases,  and  files 

•  Web  Application  Firewalls 

•  Central  management  of  security  policy,  encryption  keys,  and  alerting  and  reporting 

Visit  www.protegrity.com  or  call  203.326.7200  to  learn  how  the  Defiance  Security  Suite  from 
Protegrity  can  help  you  protect  your  sensitive  data  -  and  ultimately  your  business. 


protegrity 

Protecting  your  data. 
Protecting  your  business. 


>>  INDUSTRY  VIEW 


$10,000,  then  you  should  spend  $1,000  a 
year  on  security.  Spend  more  than  that,  and 
you’re  wasting  money.  Spend  less  than  that, 
and  you’re  also  wasting  money. 

Of  course,  that  $1,000  has  to  reduce  the 
chance  of  being  robbed  to  zero  in  order  to 
be  cost-effective.  If  a  security  measure  cuts 
the  chance  of  robbery  by  40  percent— to 
6  percent  a  year— then  you  should  spend 
no  more  than  $400  on  it.  If  another  secu¬ 


rity  measure  reduces  it  by  80  percent,  it’s 
worth  $800.  And  if  two  security  measures 
both  reduce  the  chance  of  being  robbed  by 
50  percent  and  one  costs  $300  and  the  other 
$700,  the  first  one  is  worth  it  and  the  second 
isn’t. 

The  Data  Imperative 

The  key  to  making  this  work  is  good  data; 
the  term  of  art  is  “actuarial  tail.”  If  you’re 
doing  an  ALE  analysis  of  a  security  camera 
at  a  convenience  store,  you  need  to  know 
the  crime  rate  in  the  store’s  neighborhood 
and  maybe  have  some  idea  of  how  much 
cameras  improve  the  odds  of  convincing 
criminals  to  rob  another  store  instead.  You 
need  to  know  how  much  a  robbery  costs: 
in  merchandise,  in  time  and  annoyance, 
in  lost  sales  due  to  spooked  patrons,  in 
employee  morale.  You  need  to  know  how 
much  not  having  the  cameras  costs  in  terms 
of  employee  morale;  maybe  you’re  hav¬ 
ing  trouble  hiring  salespeople  to  work  the 
night  shift.  With  all  that  data,  you  can  figure 
out  if  the  cost  of  the  camera  is  cheaper  than 
the  loss  of  revenue  if  you  close  the  store  at 
night— assuming  that  the  closed  store  won’t 
get  robbed  as  well.  And  then  you  can  decide 
whether  to  install  one. 

Cybersecurity  is  considerably  harder, 
because  there  just  isn’t  enough  good  data. 
There  aren’t  good  crime  rates  for  cyber¬ 
space,  and  we  have  a  lot  less  data  about  how 
individual  security  countermeasures— or 
specific  configurations  of  countermea¬ 


sures— mitigate  those  risks.  We  don’t  even 
have  data  on  incident  costs. 

One  problem  is  that  the  threat  moves 
too  quickly.  The  characteristics  of  the 
things  we’re  trying  to  prevent  change  so 
quickly  that  we  can’t  accumulate  data  fast 
enough.  By  the  time  we  get  some  data, 
there’s  a  new  threat  model  for  which  we 
don’t  have  enough  data.  So  we  can’t  create 
ALE  models. 


rity.  Assume  that  all  the  new  airport  secu¬ 
rity  measures  increase  the  waiting  time  at 
airports  by— and  I’m  making  this  up— 30 
minutes  per  passenger.  There  were  760 
million  passenger  boardings  in  the  United 
States  in  2007.  This  means  that  the  extra 
waiting  time  at  airports  has  cost  us  a  col¬ 
lective  43,000  years  of  extra  waiting  time. 
Assume  a  70-year  life  expectancy,  and  the 
increased  waiting  time  has  “killed”  620 


One  problem  is  that  the  threat  moves 
too  quickly.  The  characteristics  of  the 
things  we’re  trying  to  prevent  change  so 
quickly  that  we  can’t  accumulate  data  fast 
enough.  -Bruce  Schneier 


But  there’s  another  problem,  and  it’s 
that  the  math  quickly  falls  apart  when  it 
comes  to  rare  and  expensive  events.  Imag¬ 
ine  you  calculate  the  cost— reputational 
costs,  loss  of  customers,  etc.— of  having 
your  company’s  name  in  the  newspaper 
after  an  embarrassing  cybersecurity  event 
to  be  $20  million.  Also  assume  that  the  odds 
are  1  in  10,000  of  that  happening  in  any  one 
year.  ALE  says  you  should  spend  no  more 
than  $2,000  mitigating  that  risk. 

So  far,  so  good.  But  maybe  your  CFO 
thinks  an  incident  would  cost  only  $10 
million.  You  can’t  argue,  since  we’re  just 
estimating.  But  he  just  cut  your  security 
budget  in  half.  A  vendor  trying  to  sell  you  a 
product  finds  a  Web  analysis  claiming  that 
the  odds  of  this  happening  are  actually  1  in 
1,000.  Accept  this  new  number,  and  sud¬ 
denly  a  product  costing  10  times  as  much  is 
still  a  good  investment. 

It  gets  worse  when  you  deal  with  even 
more  rare  and  expensive  events.  Imagine 
you’re  in  charge  of  terrorism  mitigation  at 
a  chlorine  plant.  What’s  the  cost  to  your 
company,  in  money  and  reputation,  of  a 
large  and  very  deadly  explosion?  $100  mil¬ 
lion?  $1  billion?  $10  billion?  And  the  odds:  1 
in  a  hundred  thousand,  1  in  a  million,  1  in 
10  million?  Depending  on  how  you  answer 
those  two  questions— and  any  answer  is 
really  just  a  guess— you  can  justify  spend¬ 
ing  anywhere  from  $10  to  $100,000  annu¬ 
ally  to  mitigate  that  risk. 

Or  take  another  example:  airport  secu- 


people  per  year— 930  if  you  calculate  the 
numbers  based  on  16  hours  of  awake  time 
per  day.  So  the  question  is:  If  we  did  away 
with  increased  airport  security,  would  the 
result  be  more  people  dead  from  terrorism 
or  fewer? 

Caveat  Emptor 

This  kind  of  thing  is  why  most  ROI  mod¬ 
els  you  get  from  security  vendors  are  non¬ 
sense.  Of  course  their  model  demonstrates 
that  their  product  or  service  makes  finan¬ 
cial  sense:  They’ve  jiggered  the  numbers  so 
that  they  do. 

This  doesn’t  mean  that  ALE  is  useless, 
but  it  does  mean  you  should  1)  mistrust  any 
analyses  that  come  from  people  with  an 
agenda  and  2)  use  any  results  as  a  general 
guideline  only.  So  when  you  get  an  ROI 
model  from  your  vendor,  take  its  frame¬ 
work  and  plug  in  your  own  numbers.  Don’t 
even  show  the  vendor  your  improvements; 
it  won’t  consider  any  changes  that  make  its 
product  or  service  less  cost-effective  to  be 
an  “improvement.”  And  use  those  results 
as  a  general  guide,  along  with  risk  man¬ 
agement  and  compliance  analyses,  when 
you’re  deciding  what  security  products  and 
services  to  buy.  ■ 


Bruce  Schneier  is  the  chief  security  technology 
officer  of  BT.  His  new  book,  Schneier  on  Secu¬ 
rity,  will  be  published  by  John  Wiley  &  Sons 
in  September.  His  blog  can  be  found  at  www 
.schneier.com. 


46  www.csoonline.com  September  2008 


Photo  by  AP  Images/Worldwide 


THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


Subscribe  today! 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


For  more  information  please  visit 

www.SecuritySmartNews!etter.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CXO  Media.  ©  2007  CXO  Media  Inc. 


CSO 


BUSINESS  RISK  LEADERSHIP 


[  debriefing] 

A  Firm  Grasp 


New  England  Crack 


like,  what,  200  bucks 
each,  dude- 
Suspect2:  MAXED, 

bro- 

Suspectl:  And  I’m 

like  getting  seven,  eight,  19 
coffees  a  day- 
Suspect  2:  We  were  on  like 
our  12th  coffee  when  you  guys 
showed  up  today¬ 
interviewing  Officer:  No  kid¬ 
ding.  So,  let  me  get  this  straight.  You 
stole  credit  cards  and  had  unlimited 
access  to  these  credit  lines  and  you 
used  the  money  to  get  free  Dunkin’ 
Donuts  gift  cards? 

Suspect  2:  ...and  sometimes  we’d  buy 
those  big  boxes  of  coffee  or  iced  coffees  or 
in  the  afternoon  those  thick  frosty  coffees  and 
of  course  bagels  and  donuts  and  those  long 
skinny  donuts,  whatever  those  are  called— 
Interviewing  Officer:  Bear  claws? 
Suspect  2:  Naw,  dude.  Crullers!  Crullers 
are  AWESOME!  Anyway  we’re  paying  with  the 
gift  cards  and  every  time  the  guy  behind  the 
counter  was  like,  “do  you  want  to  see  your  bal¬ 
ance?"  and  I’m  like  nah,  it’s  cool,  I’m  good- 
Suspect  1: 1  think  that’s  what  tipped  you 
dudes  off— 

Suspect  2:  Yeah,  that  dude  behind  the 
counter  started  to  notice  that  ALL.  OUR  CARDS 
WERE  MAXED  OUT- 

Suspectl:  MAXED,  BRO- 
Suspect  2:  Now  we’re  here,  dude,  end  of 
story  but  are  we  like  in  BIG  TROUBLE  CAUSE  IF 
WE  ARE  I  GOTTA  CALL  MY  MOM,  DUDE- 
Interviewing  Officer:  I  think  you  can  get 
off  with  just  some,  urn,  community  service. 
Just  stop  talking.  And  follow  me  to  the  com¬ 
puter  room. 


“A: 

n 


small  group  of  people  from  Boston  is 
suspected  in  a  $100, 000-plus  scheme 
using  stolen  credit  card  numbers  to 
boost  balances  on  Dunkin'  Donuts  gift 
cards  to  their  $200  limit,  all  with  the  aid  of  a 
computer...”  -Boston.com  8/7/08 


TRANSCRIPT  OF  POLICE  INTERVIEW 
WITH  THE  ACCUSED  AFTER  THEY  WERE 
ARRESTED  AT  A  LOCAL  DUNKIN’ 
DONUTS: 


Interviewing  Officer:  OK, 

boys,  start  at  the  beginning. 

Suspect  1:  No,  yeah, 
that’s  the  thing-it  all  started 
when  I  woke  up  with  one  of  those 
headaches  where  all  I  could  think  was,  I  need 
coffee  RIGHT  NOW,  so  I  walked  to  Dunkies 
for  an  extra  large  light  with  extra  sugar  and 
reached  in  my  pocket  and  realized  I  had  one  of 
those  gift  cards,  and  that  got  me  thinking  how 
cool  gift  cards  are  because  they  always  make 
stuff  seem  like  it’s  totally  free  even  though  you 
know  in  your  head  you  paid  at  some  point,  but 
you’re  not  paying  RIGHT  THEN  so  it’s  like,  that’s 
cool  and  I  called  my  buddy- 

Suspect  2:  And  I  was  all,  wouldn’t  it  be 
AWESOME  if  we  had  like  hundreds  of  gift  cards 
and  NEVER  had  to  pay  for  coffee  and  I’d  so 
totally  get  an  extra  large  regular  every  day  and 
maybe  a  coffee  roll  or  breakfast  sandwich,  or 
I  really  like  those  everything  bagels  too,  or  if  I 
wanted  to  keep  it  mellow  I’d  just  get  a  couple 
of  donuts  like  those  ones  with  the  coconut 
sprinkles  and  honey  dipped  and  jelly— 

Suspect  1:  Those  coconut  ones  are  nasty, 
dude,  with  that  powdered  sugar-it’s  like  the 
anthrax  donut  or  something,  totally  foul,  bro 
Suspect  2:  Nah,  man,  that’s  a  totally 
different  donut¬ 


interviewing  Officer:  Let’s  stay  on  track 
here,  fellahs.  And  slow  it  down  a  bit. 

Suspect  1:  So  yeah,  and  I  knew  he’s  like 
wicked  smart,  but  not  in  like  a  straight  A’s  kind 
of  way-more  like  the  finger  quotes  “he  didn’t 
apply  himself  academically”  kind  of  way  like, 
this  one  time  he  didn’t  study  in  comp  sci  class 
ALL  YEAR  and  he’d  just  show  up  and  take  the 
tests  and  without  ever  looking  at  the  material, 
he’d  get  B’s  and  be  like  whatever,  this  stuff  is 
easy  let’s  go  play  Frisbee- 

Suspect  2:  So  yeah,  he  comes  to  me  about 
the  coffee  thing  and  I’m  like  DUH!  this  will  be 
so  easy  we’ll  just  get  on  the  carder’s  forum 
online  to  get  a  few  credit  card  numbers  and 
then  I’ll  use  my  black  box  to  do  some  anti-DNS 
pinning,  then  piggy  back  on  some  hacked  rout¬ 
ers  in  China  using  a  proxy  server  in  Panama, 
and  make  cash  advances  using  the  stealth 
PayPal  account  I  set  up  through  that  Estonian 
dude  with  the  wolf- 

Suspect  1:  Before  you  know  it  we’ve  got 
like  hundreds  of  cards  MAXED  OUT  to  the  limit, 


43  www.csoonline.com  September  2008 


Illustration  by  Steve  Traynor 


#f'  fiODU  IING  Intel®  Centrino®  2 
with  vPro™  technology. 
Remotely  manage  and  protect 
notebooks  against  threats. 
That's  IT  as  it  should  be. 


intel.com/lTopia 


■  TO  V  '  -  ' 


New  Intel®  Centrino®  2  with  vPro™  technology.  Cn^trino^2l 

Added  protection  against  viruses  and  attacks* 


‘Intel’  Active  Management  Technology  requires  the  computer  system  to  have  an  Intel*  AMT-enabled  chipset,  network  hardware  and  software,  as  well  as  connection  with  a  power  source  and  a 
corporate  network  connection.  Setup  requires  configuration  by  the  purchaser  and  may  require  scripting  with  the  management  console  or  further  integration  into  existing  security  frameworks 
to  enable  certain  functionality.  It  may  also  require  modifications  of  implementation  of  new  business  processes.  With  regard  to  notebooks,  Intel  AMT  may  not  be  available  or  certain  capabilities 
may  be  limited  over  a  host  OS-based  VPN  or  when  connecting  wirelessly,  on  battery  power,  sleeping,  hibernating  or  powered  off.  Visit  intel.com/technology/platform-technology/intel-amt 
©2008  Intel  Corporation.  Intel,  the  Intel  logo,  Centrino  logo,  Centrino,  and  vPro  are  trademarks  of  Intel  Corporation  in  the  United  States  and  other  countries. 


Once  your  IT  security  is  doing  everything  you  expect  it  to,  have  it  do  something  no  one  would  ever  expect:  Make  your 
company  more  efficient,  more  flexible  and  more  competitive  than  ever  before.  CA's  approach  to  IT  security  centralizes 
Identity  and  Access  Management  (1AM).  That  means  you  can  deploy  applications  faster  and  more  securely  to  capitalize  on 
market  opportunities.  And  with  best-in-ciass  modularity,  scalability  and  integration,  CA  security  solutions  enable  growth. 
To  learn  more  about  the  full  potential  of  IT  security,  download  the  latest  white  paper  at  ca.com/secure. 


CA  World  08:  November  16-20 
Register  at  caworld.com 
by  September  19  and  save  $200 


GOVERN  •  MANAGE  •  SECURE 


Transforming 
®  IT  Management 


